Describe the bug
When importing an existing EKS cluster into the stack with eks.Cluster.FromClusterAttributes, the KubectlLambdaRole property is ignored, and it uses the default lambda execution role instead. It works fine if you create the cluster with CDK instead.
Expected Behavior
The lambda that is created as part of methods like .AddServiceAccount should execute with the role specified in KubectlLambdaRole.
Current Behavior
It creates and executes with a new role instead.
Reproduction Steps
Add a service account to an imported EKS cluster:
var eks = Cluster.FromClusterAttributes(this, "EKS", new ClusterAttributes {
Vpc = vpc,
ClusterName = "/* cluster name */",
SecurityGroupIds = new[] { "/* security group ID */" },
OpenIdConnectProvider = /* open ID connect provider */,
KubectlLambdaRole = Role.FromRoleArn(this, "KubectlLambdaRole", "/* role to execute the lambda with */"),
KubectlRoleArn = "/* ARN of a role assumable by KubectlLambdaRole */"
});
eks.AddServiceAccount("TestServiceAccount", new ServiceAccountOptions {
Name = "test-service-account"
});Find the onEvent handler lambda created by the stack, and fetch its configuration:
aws lambda get-function-configuration --function-name <function name>
The lambda's Role will be set to a role created by CDK, instead of the one you specified in KubectlLambdaRole.
Possible Solution
Add the missing this.kubectlLambdaRole = props.kubectlLambdaRole assignment to the ImportedCluster constructor here:
|
constructor(scope: Construct, id: string, private readonly props: ClusterAttributes) { |
Additional Information/Context
No response
CDK CLI Version
2.20.0 (build 738ef49)
Framework Version
No response
Node.js Version
v16.14.0
OS
Windows 10
Language
.NET
Language Version
No response
Other information
A possible work-around for the problem is to add this at the end of your stack, i.e. after doing the call to .AddServiceAccount (the lambda doesn't get created until you do so):
((CfnFunction)Node.FindAll()
.Single(n => n.Node.Path.EndsWith("KubectlProvider/Handler")).Node.DefaultChild!)
.AddPropertyOverride("Role", /* ARN of role to execute the lambda with */);
Describe the bug
When importing an existing EKS cluster into the stack with
eks.Cluster.FromClusterAttributes, theKubectlLambdaRoleproperty is ignored, and it uses the default lambda execution role instead. It works fine if you create the cluster with CDK instead.Expected Behavior
The lambda that is created as part of methods like
.AddServiceAccountshould execute with the role specified inKubectlLambdaRole.Current Behavior
It creates and executes with a new role instead.
Reproduction Steps
Add a service account to an imported EKS cluster:
Find the onEvent handler lambda created by the stack, and fetch its configuration:
The lambda's
Rolewill be set to a role created by CDK, instead of the one you specified inKubectlLambdaRole.Possible Solution
Add the missing
this.kubectlLambdaRole = props.kubectlLambdaRoleassignment to theImportedClusterconstructor here:aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster.ts
Line 2057 in 10f5ede
Additional Information/Context
No response
CDK CLI Version
2.20.0 (build 738ef49)
Framework Version
No response
Node.js Version
v16.14.0
OS
Windows 10
Language
.NET
Language Version
No response
Other information
A possible work-around for the problem is to add this at the end of your stack, i.e. after doing the call to
.AddServiceAccount(the lambda doesn't get created until you do so):