CoreDNS 1.8.3 update requires clusterrole patch

Question

CoreDNS 1.8.3 update requires clusterrole patch

gaba-mlindner opened this issue 4 years ago · 5 comments

I just upgraded my lab EKS cluster (managed by Gruntwork's terraform-aws-eks modules) from 1.19 to 1.20 and ran into some issues with kubergrunt's CoreDNS update.

After the module's provisioner had executed eks sync-core-components .., DNS resolution inside the cluster stopped working and the new CoreDNS pods starting logging errors like:

E0611 10:20:52.181166       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1beta1.EndpointSlice: failed to list *v1beta1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kube-system:coredns" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope

Quick googling led me to AWS' docs (see step 5):
https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html#updating-coredns-add-on

It turns out that the CoreDNS 1.8.3 update requires additional permissions.

Manually patching the system:coredns clusterrole resolved my issues, but I think it would make sense to have kubergrunt handle this kind of thing automatically (since it's already patching the image version and configmap anyways).

versions:
terraform v1.0.0
terragrunt v0.29.2
kubergrunt v0.7.1
terraform-aws-eks v0.41.0

Answer 1 · 2021-06-15T17:10:02.000Z

Thanks for the report! I have opened a PR with the fix: #130

Answer 2 · 2021-06-15T17:42:54.000Z

Looking at the related PR and tests now!

Answer 3 · 2021-06-15T20:47:27.000Z

This is now handled in https://github.com/gruntwork-io/kubergrunt/releases/tag/v0.7.2

Answer 4 · 2021-06-17T10:03:20.000Z

Just FYI, I upgraded another cluster with the v0.7.2 version last night and it worked like a charm without manual intervention. Thanks for the quick fix!

Answer 5 · 2021-06-17T13:59:45.000Z

Thanks for closing the loop!