https://pulumi.com logo
Join Slack
Powered by
Hi all, I’m running pulumi/python ```boto3>=1.1...
# aws
a
Hi all, I’m running pulumi/python
Copy code
boto3>=1.17.0,<2.0.0
pulumi==3.136.1
pulumi_aws==6.59.1
pulumi_aws_tags==0.9.0
pulumi_eks==3.3.0
I’m trying to create a eks cluster with managed node group but I’m getting the following error at runtime
Copy code
Exception: A managed node group cannot be created without first setting its role in the cluster's instanceRoles
In my call to eks.ManagedNodeGroupArgs I’m passing 
node_role_arn=my-role-arn
already, and I’m creating the ManagedNodeGroupArgs after I create the cluster. In my call to eks.ClusterArgs, I’m already passing 
instance_roles=[my-role]
. In addition, I’ve added 
depends_on=[my-cluster, my-role]
into my call to ManagedNodeGroup. What am I missing?
m
What happens if you pass 
node_role=my_cluster.instanceRoles[0]
(or 
my_cluster.instanceRole
if you specify 
instanceRole
on the cluster) to the managed node group? You can see what exactly the check is that's failing: https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/nodegroup.ts#L2043 At first glance, it seems like the error message might be slightly misleading, because the check is a bit more involved than checking whether the role has been added to the cluster resource. If that doesn't helo you resolve your problem, please show a complete, minimal code example that reproduces your problem so that others can check and run it.
f
checking out the managednodegroup example might be instructive as well: https://github.com/pulumi/pulumi-eks/blob/master/examples/managed-nodegroups-py/__main__.py
m
This looks like you're providing an invalid netmask, this is unlikely to be an error within your Pulumi code.
Just showing error messages is unlikely to get you feedback here, because you leave us guessing. I suggest you start with a simple example (such as the one Robert linked) and build up to more complexity from there. Then you also have some more generic code that reproduces your error that you can paste here without revealing company internals.
(It's not cool to delete questions and posts in a Slack discussion after others have responded btw. Now, others with the same problem won't be able to learn from what you discovered.)
c
I just did not notice I was in a thread because of the Slack UI. I reposted in the main thread
a
Follow up - I was able to create a simple program which works. Is there a way to see that the node role is set in the cluster’s instance roles via the AWS EKS console UI?
m
I think this check is performed on the Pulumi EKS side. It looks up the instanceRoles in the cluster and tries to find the desired nodegroup role's ARN in the list: https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/nodegroup.ts#L2028 To see the instance roles "registered" with the EKS cluster resource, you can export 
mycluster.core.instanceRoles
and/or 
mycluster.core.instanceRoles.apply(lambda role: role.arn)
as stack outputs, that's probably the easiest way.
(I don't think the concept of a node role "registered" with a cluster even exists in EKS. You can define default node roles etc. of course, but I think you can pick any role with the managed AmazonEKSWorkerNodePolicy and AmazonEC2ContainerRegistryPullOnly or an equivalent custom policy attached: https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html)
a
Man, I’m stumped, and I understand it’s difficult to help without all the info. I appreciate the help and tips provided so far, thank you! If I could, just post here as a sounding board, or if there are anymore ideas… Here’s where I’m at. In my simple sample, I’m able to create the cluster role and node role and pass it as a list to the cluster args “instance_roles” list parameter and the cluster and and managed node group gets created, as expected. I used pulumi.export and exported 
cluster.core.instance_roles
to see what it looks like. In our actual code with business logic, I’m doing what looks to be the same thing as described above, but the managed node group does not get created due to the mentioned error,
Copy code
Exception: A managed node group cannot be created without first setting its role in the cluster's instanceRoles
I also exported 
cluster.core.instance_roles
and the two match. sad panda
m
If it helps, I can relate to that feeling. Have you investigated the other half of the check? The one that looks at the access configuration? https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/nodegroup.ts#L2043
You could also run the check standalone in your code, to see whether 
nodegroupRole
is truthy. This is self-contained as far as I can see and you should easily be able to translate it to Python:
Copy code
const nodegroupRole = pulumi.all([core.instanceRoles, roleArn]).apply(([roles, rArn]) => {
        // Map out the ARNs of all of the instanceRoles. Note that the roles array may be undefined if
        // unspecified by the Pulumi program.
        const roleArns: pulumi.Output<string>[] = roles ? roles.map((role) => role.arn) : [];

        // Try finding the nodeRole in the ARNs array.
        return pulumi.all([roleArns, rArn]).apply(([arns, arn]) => {
            return arns.find((a) => a === arn);
        });
    });
a
Oh, right, no. So I should check 
cluster.access_config.authentication_mode
? Sorry I’m not too familiar with typescript/javascript
m
You can implement that yourself as well, or just export the value of 
core.cluster.accessConfig.authenticationMode
(you already mentioned the Python variant) and look at it
a
Thanks for the suggestions, will look into them
m
The good thing is that one of the two checks has to be the issue, because unless GitHub's code search is failing me there's no other place in the code the error message could be coming from.
a
🤞
Update - I’m able to create the managed node group! Oh stupid user error! 😆 … Thanks everyone for the help! Separate question. I’m running into an error trying to connect the launch template now and I’m getting this error,
Copy code
creating EKS Node Group (...): operation error EKS: CreateNodegroup, https response error StatusCode: 400...InvalidRequestException: You do not have access to a default security group in VPC ... Specify a security group, and try again.
How do I search for the error to debug. I tried searching for “Specify a security group, and try again.” or “You do not have access to a default security group” in pulumi_eks and pulumi_aws and it returned 0 hits in code.
m
I think this error is generated outside of Pulumi. A cursory Google search suggests that this problem occurs in VPCs shared across accounts, where the default security group sits in a different account than the one you're using the VPC from (relevant EKS feature request). Did you specify a dedicated node security group in the launch template? In general, it's advisable to create a specific SG and not use the default SG for resources (see the AWS docs.)
a
I did not, I’m trying to port code which someone else has done. When we create the launch template we just specify the instancye_type, block_device_mappings, metadata_options, user_data, tags, and tag_specifications. The vpc which I’m passing is NOT the default vpc … Thanks for looking into it, pulling out the shovel now 😆
5 Views
Open in Slack
PreviousNext
Powered by