Karpenter failed to launch new EC2 instances due to controller IAM policy lacks support for China regions
Monster-Zhu opened this issue · 3 comments
Description
Karpenter failed to launch new EC2 instances in China regions due to missing "ec2.amazonaws.com.cn" (different with Rest-of-World regions, which is "ec2.amazonaws.com") in the AllowPassingInstanceRole IAM policy statements:
- https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v20.26.0/modules/karpenter/policy.tf#L198
- https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v20.26.0/modules/karpenter/policy.tf#L587
Manually add the "ec2.amazonaws.com.cn" item into the condition values list solved the problem.
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
- Module version [Required]:
20.26.0 - Terraform version:
1.5.7 - Provider version(s):
- provider registry.terraform.io/cloudposse/utils v1.26.0
- provider registry.terraform.io/gavinbunney/kubectl v1.14.0
- provider registry.terraform.io/hashicorp/aws v5.72.1
- provider registry.terraform.io/hashicorp/cloudinit v2.3.5
- provider registry.terraform.io/hashicorp/helm v2.16.1
- provider registry.terraform.io/hashicorp/kubernetes v2.33.0
- provider registry.terraform.io/hashicorp/null v3.2.3
- provider registry.terraform.io/hashicorp/random v3.6.3
- provider registry.terraform.io/hashicorp/time v0.12.1
- provider registry.terraform.io/hashicorp/tls v4.0.6
Reproduction Code [Required]
https://github.com/terraform-aws-modules/terraform-aws-eks/tree/v20.26.0/examples/karpenter
Steps to reproduce the behavior:
- terraform init
- terraform plan
- terraform apply
Expected behavior
Nodes launched successfully.
Actual behavior
No nodes launched by Karpenter.
This issue has been resolved in version 20.26.1 🎉
I tested 20.26.1 in AWS CN region, unfortunately it failed. It only works when "ec2.amazonaws.com.cn" and "ec2.amazonaws.com" are both included in the AllowPassingInstanceRole statement.