Terraform-aws-eks: Cluster Is Not Getting Created With Public Access False

Created on 29 Jan 2020  路  5Comments  路  Source: terraform-aws-modules/terraform-aws-eks

I have issues

When we create a cluster with below options

cluster_endpoint_public_access = true
cluster_endpoint_private_access = true

it works perfectly fine, but as soon as we change cluster_endpoint_public_access to false, cluster creation does not end.

I'm submitting a...

  • [ ] bug report
  • [ ] feature request
  • support request - read the FAQ first!
  • [ ] kudos, thank you, warm fuzzy

What is the current behavior?

Cluster creation does not finish and print below messages:

module.eks.aws_eks_cluster.this[0]: Still creating... [56m27s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [56m37s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [56m47s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [56m57s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [57m7s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [57m23s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [57m33s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [57m43s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [57m53s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m3s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m19s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m29s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m39s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m49s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [58m59s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [59m9s elapsed]
module.eks.aws_eks_cluster.this[0]: Still creating... [59m25s elapsed]

And when I login in AWS Console, it shows cluster created with right configuration.

API server endpoint access
Private access
Enabled

Public access
Disabled

If this is a bug, how to reproduce? Please include a code sample if relevant.

Use the below options:

cluster_endpoint_public_access = false
cluster_endpoint_private_access = true

What's the expected behavior?

The cluster should be created or print the error/s if any.

picture AmitThakkar

Most helpful comment

Having the same issue. Traced it down to the security groups. We are able to access the K8s endpoint If we add ingress 0.0.0.0/0 to the cluster security group.

By default the cluster security group only allows ingress from workers.

You can work around this by passing cluster_security_group_id.

picture carlosreyna-bread on 7 Feb 2020
👍2

All 5 comments

@AmitThakkar where are you running Terraform from? It sounds like you are running Terraform from somewhere that is not inside your VPC. The module checks that cluster creation has succeeded by trying to connect to the api server endpoint, so if it isn't running somewhere that can connect to the private endpoint it will hang forever like you are seeing.

alexconlin picture alexconlin on 30 Jan 2020
👍2

You need to route the API calls Terraform executes with the kubernetes provider via a proxy within the VPC.

Otherwise if you need to restrict access to the public endpoint you can also use the cluster_endpoint_public_access_cidrs variable and restrict access to your own network CIDR

danielelisi picture danielelisi on 6 Feb 2020

The problem is that the security group that is being associated with the API endpoint does not necessarily allow communication from all sources.

If one wants to restrict access to, for example, sources that are routed via a transit gateway the security group has to allow that, but it is not currently possible to configure additional source CIDR blocks (cf. #605).

babilen5 picture babilen5 on 6 Feb 2020

Having the same issue. Traced it down to the security groups. We are able to access the K8s endpoint If we add ingress 0.0.0.0/0 to the cluster security group.

By default the cluster security group only allows ingress from workers.

You can work around this by passing cluster_security_group_id.

carlosreyna-bread picture carlosreyna-bread on 7 Feb 2020
👍2

This issue is resolved with. v11.0.0, so closing this.

@carlosreyna-bread Thanks, the v11.0.0 has "cluster_endpoint_private_access_cidrs" parameter so solve the same problem. Now no need for a workaround.

AmitThakkar picture AmitThakkar on 15 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gb-ckedzierski picture gb-ckedzierski  路  5Comments
Pratima picture Pratima  路  4Comments
tokiwong picture tokiwong  路  4Comments
discordianfish picture discordianfish  路  4Comments
max-rocket-internet picture max-rocket-internet  路  3Comments