This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

08/10/2023, 11:46 PM

This message was deleted.

tall-beard-99429

08/11/2023, 7:10 AM

It looks like you're missing the policies that are needed to allow k8s to interact with EC2

tall-beard-99429

08/11/2023, 7:14 AM

Copy code

const cluster_role = new aws.iam.Role('EKS-Cluster-Role', {
        name: 'EKS-Cluster-Role',
        assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
            Service: '<http://eks.amazonaws.com|eks.amazonaws.com>',
        }),
    }, {
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

    new aws.iam.RolePolicyAttachment('EKS-Cluster-Role-Policy (AmazonEKSClusterPolicy)', {
        policyArn: aws.iam.ManagedPolicy.AmazonEKSClusterPolicy,
        role: cluster_role.name,
    }, {
        parent: cluster_role,
        dependsOn: cluster_role,
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

    const worker_role = new aws.iam.Role('EKS-Worker-Role', {
        name: 'EKS-Worker-Role',
        assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
            Service: '<http://ec2.amazonaws.com|ec2.amazonaws.com>',
        }),
    }, {
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

    new aws.iam.RolePolicyAttachment(`EKS-Worker-Role-policy (AmazonEKSWorkerNodePolicy)`, {
        policyArn: aws.iam.ManagedPolicy.AmazonEKSWorkerNodePolicy,
        role: worker_role.name,
    }, {
        parent: worker_role,
        dependsOn: worker_role,
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

    new aws.iam.RolePolicyAttachment(`EKS-Worker-Role-policy (AmazonEKS_CNI_Policy)`, {
        policyArn: aws.iam.ManagedPolicy.AmazonEKS_CNI_Policy,
        role: worker_role.name,
    }, {
        parent: worker_role,
        dependsOn: worker_role,
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

    new aws.iam.RolePolicyAttachment(`EKS-Worker-Role-policy (AmazonEC2ContainerRegistryReadOnly)`, {
        policyArn: aws.iam.ManagedPolicy.AmazonEC2ContainerRegistryReadOnly,
        role: worker_role.name,
    }, {
        parent: worker_role,
        dependsOn: worker_role,
        provider: Provider(config.requireObject<AwsOrganizationConfiguration>('organization').name),
    });

this is what we have in Typescript

tall-beard-99429

08/11/2023, 7:14 AM

Then on the cluster, we have

roleArn: cluster_role.arn,

tall-beard-99429

08/11/2023, 7:15 AM

and in aws-auth we have

Copy code

{
                    rolearn: worker_role.arn,
                    username: 'system:node:{{EC2PrivateDNSName}}',
                    groups: ['system:nodes', 'system:bootstrappers'],
                },

also

tall-beard-99429

08/11/2023, 7:15 AM

Though i think this might be the default in aws-auth

damp-salesmen-74351

08/11/2023, 5:43 PM

I add roles as

iam.py

and update

cluster.py

for

instance_role

and

role_mappings

but still get same error

no nodes available to schedule pods

tall-beard-99429

08/11/2023, 9:01 PM

If you look in EC2 has it scheduled creating any nodes?

Open in Slack

Previous Next