fix(eks): policy does not exist or is not attachable in China and GovCloud regions #25170
Conversation
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| f"helm registry login --username AWS --password-stdin {public_registry['registry']}; helm pull {repository} --version {version} --untar" | ||
| ] | ||
| else: | ||
| cmnd = [f"helm pull {repository} --version {version} --untar"] |
There was a problem hiding this comment.
So running helm registry login isn't necessary then? Do you know why we run it in the normal flow? is it because of service quotas?
| @@ -1494,6 +1495,11 @@ const cluster = new eks.Cluster(this, 'Cluster', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ## Working with ECR Public | |||
There was a problem hiding this comment.
Feels like this should be in the Helm Charts section.
| import { Token } from '../../../core'; | ||
| import { RegionInfo } from '../../../region-info'; | ||
|
|
||
| export function EcrPublicAvailable(region: any): boolean { |
There was a problem hiding this comment.
| export function EcrPublicAvailable(region: any): boolean { | |
| export function ecrPublicAvailable(region: any): boolean { |
There was a problem hiding this comment.
Also move this function to the kubectl-provider.ts file.
| @@ -0,0 +1,17 @@ | |||
| import { EcrPublicAvailable } from '../lib/private/service-available'; | |||
|
|
|||
| describe('EcrPublicAvailable', () => { | |||
There was a problem hiding this comment.
This is why you had to export the EcrPublicAvailable function, even though it is clearly private. Instead unit testing the function, just test that the result of the function is what you expect. That is, instantiate a cluster in a specific region, and assert that the environment of the handler is correct, and that the policy doe / doesn't exist.
| @@ -56,6 +56,7 @@ export async function main(): Promise<void> { | |||
| registerFact(region, 'DOMAIN_SUFFIX', domainSuffix); | |||
|
|
|||
| registerFact(region, 'CDK_METADATA_RESOURCE_AVAILABLE', AWS_CDK_METADATA.has(region) ? 'YES' : 'NO'); | |||
| registerFact(region, 'ECR_PUBLIC_AVAILABLE', partition === 'aws' ? 'YES' : 'NO'); | |||
There was a problem hiding this comment.
Did you consider using the AWS::Partition pseudo param in conjunction with Fn::If to make this more environment agnostic? its a bummer the user must specify a region in the stack in order to get this functionality.
| * Whether Amazon ECR Public is available in this region or not. | ||
| */ | ||
| public get ecrPublicAvailable(): boolean { | ||
| return Fact.find(this.name, FactName.ECR_PUBLIC_AVAILABLE) === 'YES'; |
There was a problem hiding this comment.
So this would mean if a user doesn't specify a region in the stack, which is the common case, we now change the behavior and remove the policy and remove the ecr authorization - this might have a some implications no? We should default to the common case, and make the user "work" a little harder for the uncommon one.
pahud
force-pushed
the
fix-eks-policy-not-exist
branch
from
27753ad to
d8267b7
Compare
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
…Cloud regions (#25215) Reopening this PR because #25170 was closed by accident. As ECR Public is not available in China regions and GovCloud, `AmazonElasticContainerRegistryPublicReadOnly` IAM managed policy would not be available in those affected regions and should not be attached to the role. This PR implements a CfnCondition to determine if ECR public is available based on `Aws.Partition` of the deploying region and conditionally attach `AmazonElasticContainerRegistryPublicReadOnly` to the kubectl-provider handler role. This PR has been tested in the following regions: - [x] *cn-north-1 - [x] *cn-northwest-1 - [x] us-east-1 * I can confirm the role is created correctly in cn regions but due to - #24358 - #24696 The cluster and nodegroup are still failing to create in CN. Closes #24743 #24808 #25178
Reopening this PR and closing the previous one.
As ECR Public is not available in China regions and GovCloud,
AmazonElasticContainerRegistryPublicReadOnlyIAM managed policy would not be available in those affected regions and should not be attached to the role. This PR implements a RegionInfo method to determine if ECR public is available in the deploying region and conditionally attachAmazonElasticContainerRegistryPublicReadOnlyto the role. If region can't be determined in synth time, we assume ECR Public is not available to avoid potential failure.Closes #24743 #24808 #25178
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license