Issue in creating self-manged node when authenticationMode is set to CONFIG_MAP only [Bug] #7695
Description
What were you trying to accomplish?
Launch Self-managed nodes with only authenticationMode set to CONFIG_MAP. For example, Outposts still does not support ACCESS ENTRIES
What happened?
When IAM Role is not specified explicitly, the CFN stack generated by eksctl (tested with 0.173.0 and later) sets NodeGroupUsesAccessEntry to true - due to which the on a cluster with only CONFIG_MAP as access method, the CFN is trying to create Access Entry and failing with error "Resource handler returned message: "The cluster's authentication mode must be set to one of [API, API_AND_CONFIG_MAP] to perform this operation."
How to reproduce it?
eksctl version 0.175.0
- Used below config to create a cluster
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: k8s
version: "1.27"
region: eu-central-1
accessConfig:
bootstrapClusterCreatorAdminPermissions: true
authenticationMode: CONFIG_MAP
nodeGroups:
- name: ng-1
instanceType: m5.large
desiredCapacity: 1
- eksctl create -f <>.yaml
The cluster is created successfully, however, the nodegroup stack fails with "Resource handler returned message: "The cluster's authentication mode must be set to one of [API, API_AND_CONFIG_MAP] to perform this operation."
Anything else we need to know?
$ eksctl info
eksctl version: 0.175.0
kubectl version: v1.22.15-eks-fb459a0
OS: linux
The workarounds to fix the issue
- Create cluster and nodegroup with 2 different steps while creating the nodegroup by passing the parameter --update-auth-configmap :
eksctl create cluster -f .yaml
eksctl create nodegroup -f .yaml --update-auth-configmap
- Use a pre existing IAM Role for your Nodes.
nodeGroups:
- name: ng-1
instanceType: m5.large
iam:
instanceRoleARN: "arn:aws:iam::XXXXXXXX:role/AmazonEKSNodeRole"
- Using version 0.166.0 or earlier of eksctl as the breaking change comes from here -> 9f81584#diff-8c78bb87fb0d3f76268340075907de232bd48b524e26d4d693f8af64cd97805f