-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ipv6 support to karpenter&vpc cni addons (mostly IAM permissions issue) #1079
Comments
Note It seems the VPC CNI can't support this because that interface only allows AWS Managed AddOns and no AWS Managed Addons (with reasonably restrictive permissions), support IPv6 VPC. The VPC CNI Blueprints Addon would need to be modified to be more flexible and potentially add Inline IAM policy in addition to AWS Managed. Likewise I found karpenter addon doesn't seem to allow specifying a custom nodeRole, so it can't be fixed with config. Both cases need a code change to allow karpenter to support IPv6 clusters. |
wait actually this might work for karpenter, I missed that when ctrl + f for policy and role, I'll give it another try with InstanceProfile https://github.com/aws-quickstart/cdk-eks-blueprints/blob/main/lib/addons/karpenter/index.ts#L118 |
Note: Karpenter Addon's Implementation details make instance profiles not work (there's an issue ticket for it.) #893 (comment) |
Here's a workaround that worked for me:
|
This issue has been automatically marked as stale because it has been open 60 days |
Describe the feature
I'm using a modified fork of eks blueprints to allow deployment of an ipv6 cluster.
My fork is heavily modified, and uses a lot of hacks to get things to work, so I don't have any code worth contributing upstream.
That said I've been able to test an EKS Blueprints based ipv6 cluster deployed in a dual stack vpc and I can happily inform you that most things work with no significant changes needed.
The only thing that didn't really work out of the box was karpenter on an ipv6 cluster.
It was weird because the Managed Node Groups worked fine, just not karpenter nodes.
I did a compare and contrast and found 1 was missing a permission that the other had.
Once I added the permissions it didn't work until I rebooted the AWS CNI pods, but after updating IAM permission and rebooting AWS CNI pods. Karpenter node's scheduled ipv6 pods correctly just like managed node group nodes.
If we bake the permissions into the IaC then it should work from the start.
Use Case
This is needed for eks clusters in ipv6 deployed to a pre-existing dualstack vpc.
Without this feature request the managed node groups of an ipv6 eks cluster work, but karpenter added nodes can't provision pods due to a aws-cni error due to lack of IAM permissions.
Proposed Solution
I discovered the role attached to the managed node groups had the following inline IAM policy
I propose:
(That will take a while to implement I'm sure due to bureaucracy, so we should do the following in the mean time.)
Other Information
I also manually patched karpenter's EC2NodeClass. I'm not sure if this was also needed to make it work, but I did notice the karpenter addon yaml generation doesn't allow this to be customized and maybe it should.
Acknowledgements
CDK version used
2.133.0 (build dcc1e75)
EKS Blueprints Version
1.15.1
Node.js Version
v20.17.0
Environment details (OS name and version, etc.)
Mac OS Sonoma 14.6.1
The text was updated successfully, but these errors were encountered: