Fails on EKS

Question

Fails on EKS

Opened this issue 5 years ago · 4 comments

Tried to deploy on EKS and fails.

My environment:

$ k version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.2", GitCommit:"59603c6e503c87169aea6106f57b9f242f64df89", GitTreeState:"clean", BuildDate:"2020-01-23T14:21:36Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.9-eks-c0eccc", GitCommit:"c0eccca51d7500bb03b2f163dd8d534ffeb2f7a2", GitTreeState:"clean", BuildDate:"2019-12-22T23:14:11Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

No pod comes up, due to:

$  kubectl describe rs klum-799bb95cd7
...
   True    FailedCreate
Events:
  Type     Reason        Age               From                   Message
  ----     ------        ----              ----                   -------
  Warning  FailedCreate  2s (x4 over 29s)  replicaset-controller  Error creating: No API token found for service account "klum", retry after the token is automatically created and added to the service account

Great stuff, can't wait to use it. Thanks and KUTGW!

Answer 1 · 2020-01-25T16:33:06.000Z

Crazy.... why wouldn't there be a token automatically created? Is this just a vanilla EKS cluster or do you have some other security products/configuration applied that would prevent tokens from being issued?

Answer 2 · 2020-01-25T18:31:23.000Z

Nah, it's a vanilla one. Wondering, could it be that there is an CRD missing?

Answer 3 · 2020-01-26T16:31:49.000Z

How are you doing auth? kube2iam, kiam, or aws IAM

Also, are you pulling the token? kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') is from https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html

I'll be interested to see if it's an auth or pulling the token issue

Answer 4 · 2020-01-27T10:29:16.000Z

Hi @kenlavoie thanks for chiming in!

How are you doing auth?

This is a vanilla EKS cluster so using the default aws-iam-authenticator.

kube2iam, kiam, or aws IAM

It was provisioned using eksctl and is IRSA-enabled. I don't see how this may be related since I don't see any pod-level privileges assigned, but anyways, IRSA is available in the cluster.

Also, are you pulling the token?

What exactly do you mean by "pulling the token" ?

FWIW, executing kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') results in a long list of secrets which I will, for obvious reasons, not share here.