[Bug] update-aws-node breaks aws-node daemonset

[reganmcdonalds4]

What were you trying to accomplish?

Update aws-node using eksctl utils update-aws-node

What happened?

aws-node pods are unable to start:

NAME                              READY   STATUS                       RESTARTS   AGE
aws-node-8gtcl                    0/1     CreateContainerConfigError   0          5s

It is configured to run as non-root, but the image will run as root:

Error: container has runAsNonRoot and image will run as root (pod: "aws-node-8gtcl_kube-system(0b5691cd-dca7-40f1-af36-d232baf1c155)", container: aws-node)

How to reproduce it?

Install eksctl version 0.122.0 and run:
eksctl utils update-aws-node --cluster <cluster name> --approve

Logs

eksctl utils update-aws-node --cluster <cluster name> --approve
2022-12-12 16:19:04 [ℹ]  skipped existing "kube-system:ServiceAccount/aws-node"
2022-12-12 16:19:04 [ℹ]  replaced "CustomResourceDefinition.apiextensions.k8s.io/eniconfigs.crd.k8s.amazonaws.com"
2022-12-12 16:19:04 [ℹ]  replaced "ClusterRole.rbac.authorization.k8s.io/aws-node"
2022-12-12 16:19:04 [ℹ]  replaced "ClusterRoleBinding.rbac.authorization.k8s.io/aws-node"
2022-12-12 16:19:05 [ℹ]  replaced "kube-system:DaemonSet.apps/aws-node"
2022-12-12 16:19:05 [ℹ]  "aws-node" is now up-to-date

Anything else we need to know?

Using Mac OS with downloaded binary.

Versions

$ eksctl info
eksctl version: 0.122.0
kubectl version: v1.26.0
OS: darwin

[github-actions]

Hello reganmcdonaldS4 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[kchung-appaegis]

the same issue happen to me.

https://github.com/weaveworks/eksctl/blob/release-0.122/pkg/addons/default/assets/aws-node.yaml#L222

looks like version 122 add two securityContext configs in aws-node container. need to remove these two to make aws-node daemonset work.

[OverStruck]

Why is this closed?
eksctl utils update-aws-node --cluster=<clusterName> breaks aws-node daemonSet due to setting up this:

securityContext:
            capabilities:
              add:
              - NET_ADMIN
            runAsNonRoot: true <----------------------------- causes problem
            allowPrivilegeEscalation: false <----------------- causes problem

It is true that by removing runAsNonRoot & allowPrivilegeEscalation issue is fixed, but this is still a manual step that needs to be taken when updating cluster as suggested in the official guides:

https://eksctl.io/usage/cluster-upgrade/
https://eksctl.io/usage/addon-upgrade/

Can we expect a fix? If not what's the suggested way to upgrade clusters using eksctl?

[OverStruck]

For anyone looking for a quick fix, you can remove the problematic config by patching the daemonSet as follows, using CLI:

#remove allowPrivilegeEscalation: false
kubectl patch ds -n kube-system aws-node --type='json' -p='[{ "op": "remove", "path": "/spec/template/spec/containers/0/securityContext/allowPrivilegeEscalation" }]'

#remove runAsNonRoot: true
kubectl patch ds -n kube-system aws-node --type='json' -p='[{ "op": "remove", "path": "/spec/template/spec/containers/0/securityContext/runAsNonRoot" }]'

[cPu1]

@OverStruck a fix is already out in a release candidate. It will be graduated to a full release this week.

[chuong-dao]

I updated the eksctl version and ran the update below again. It seems to work now.

eksctl utils update-aws-node --cluster=<clusterName>