This message was deleted Pulumi Community #kubernetes

Join Slack

This message was deleted.

# kubernetes

sparse-intern-71089

09/08/2023, 8:57 PM

This message was deleted.

numerous-train-50906

09/08/2023, 8:59 PM

Here is the eks creation code:

Copy code

eks_cluster = eks.Cluster(
    resource_name=cluster_name,
    vpc_id=vpc_id,
    cluster_security_group=cluster_security_group,
    desired_capacity=desired_cluster_size,
    enabled_cluster_log_types=cluster_log_types,
    # Public subnets will be used for load balancers
    public_subnet_ids=public_subnet_ids,
    # Private subnets will be used for worker nodes
    private_subnet_ids=private_subnet_ids,
    # Do not give worker nodes a public IP address
    node_associate_public_ip_address=False,
    # Change configuration values to change any of the following settings
    name=cluster_name,
    skip_default_node_group=True,
    storage_classes={
        storage_class["name"]: storage_class["args"]
        for storage_class in storage_classes
    },
    tags={"Name": f"{name_tag}-eks"},
    version=eks_version,
    # Uncomment the next two lines for private cluster (VPN access required)
    endpoint_private_access=True,
    endpoint_public_access=False
)

billowy-army-68599

09/08/2023, 8:59 PM

yes, but you need to have the ability to contact the API for the kubernetes cluster from where your Pulumi program runs

billowy-army-68599

09/08/2023, 8:59 PM

ie a VPN

billowy-army-68599

09/08/2023, 8:59 PM

it’s really a network problem, rather than a pulumi program 🙂

numerous-train-50906

09/08/2023, 9:00 PM

confirmed, able to access from my laptop:

Copy code

$ telnet <http://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com|a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com> 443
Trying 10.36.2.223...
Connected to <http://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com|a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com>.
Escape character is '^]'.

billowy-army-68599

09/08/2023, 9:01 PM

can you

kubectl

it?

numerous-train-50906

09/08/2023, 9:03 PM

unable to, same issue

Copy code

$ KUBECONFIG=~/.kube/eks-works.yaml kubectl get nodes
Unable to connect to the server: net/http: TLS handshake timeout

billowy-army-68599

09/08/2023, 9:03 PM

do you use a http proxy?

numerous-train-50906

09/08/2023, 9:04 PM

none, that i'm aware. I'm on a company vpn connection though

billowy-army-68599

09/08/2023, 9:04 PM

can you show me

cluster_security_group

definition?

numerous-train-50906

09/08/2023, 9:05 PM

sure, from code or aws_console?

numerous-train-50906

09/08/2023, 9:05 PM

Copy code

def create_security_group(vpc_id: str, sg_name: str) -> aws.ec2.SecurityGroup:
    security_group = aws.ec2.SecurityGroup(
        f"{sg_name}-securityGroup",
        name_prefix=sg_name,
        description="EKS-Cluster-security-group",
        vpc_id=vpc_id,
    )
    security_group.id.apply(
                lambda sg_id: aws.ec2.SecurityGroupRule(
                    f"{sg_id}-https-443",
                    description="allow inbound 443 access from connected networks",
                    type="ingress",
                    from_port=443,
                    to_port=443,
                    protocol="tcp",
                    cidr_blocks=["0.0.0.0/0"],
                    security_group_id=sg_id,
                    opts=pulumi.ResourceOptions(depends_on=[security_group]),
                )
            )
    return security_group


cluster_security_group = create_security_group(vpc_id, f"{name_tag}-cluster-security-group")

billowy-army-68599

09/08/2023, 9:08 PM

hmm 🤔 well, the issue here is that the eks provider uses kubectl to make some changes, and ultimately there’s either a network error or a proxy intercepting. I imagine you’ll get the same response if you try to

curl

the k8s api too. i’d double check your network connectivity (I know the telnet works, so something may be amiss elsewhere)

billowy-army-68599

09/08/2023, 9:09 PM

but it definitely is supported

numerous-train-50906

09/08/2023, 9:11 PM

yeah curl fails too

Copy code

$ curl -k -v <https://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com>
*   Trying 10.36.2.223:443...
* Connected to <http://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com|a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com> (10.36.2.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to <http://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com:443|a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com:443> 
* Closing connection 0
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to <http://a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com:443|a5f09297feecd3b9c32ca.gr7.ca-central-1.eks.amazonaws.com:443>

billowy-army-68599

09/08/2023, 9:13 PM

can you check your security group in the console and make sure that rule applied?

numerous-train-50906

09/08/2023, 9:15 PM

looks like they were:

billowy-army-68599

09/08/2023, 9:22 PM

hmm 🤔

numerous-train-50906

09/08/2023, 9:23 PM

i even opened up ephemeral ports (0-65535), based on a colleagues suggestion, but still the issue persists. I'm using a AWS vpn connection, via a transit gateway.

cuddly-computer-18851

09/09/2023, 12:11 AM

Check your NACLs as well, especially if TGW is in play.

numerous-train-50906

09/11/2023, 4:39 PM

@cuddly-computer-18851 - thanks, I did, as I'm able to connect locally via telnet.

numerous-train-50906

09/11/2023, 9:22 PM

Just to close the loop on this issue. It turned out that the network where

pulumi up

was run didn't have full access to the VPN connection.

numerous-train-50906

09/11/2023, 9:23 PM

Thanks jaxxstorm, your hunch was correct.

🎉 1

Open in Slack

Previous Next