if you modify it via the roleMappings available in...
# generalo
orange-tailor-85423
01/16/2019, 4:50 PMif you modify it via the roleMappings available in the eks.Cluster creation it updates the cluster and all kinds of dependent objects that will cause breaking changes
w
white-balloon-205
01/16/2019, 4:52 PM
cc @microscopic-florist-22719 for thoughts on this. We were talking about this general space yesterday. I haven't yet had a chance to understand whether this is a fundamental EKS thing, or something about how
@pulumi/eksroleMappingso
orange-tailor-85423
01/16/2019, 4:52 PMman it's really bad. I'm realizing how good GKE is now
w
white-balloon-205
01/16/2019, 4:52 PM
🙂
o
orange-tailor-85423
01/16/2019, 4:52 PMI'm going to have to figure out how to dynamically build and apply that configmap
w
white-balloon-205
01/16/2019, 4:53 PM
I think there is a chance that this is actually something we'll be able to improve in the
@pulumi/eksaws.eks.Clustero
orange-tailor-85423
01/16/2019, 4:55 PMok
orange-tailor-85423
01/16/2019, 4:56 PMhappy to work with anybody or get thoughts from the community on how they are handling this
orange-tailor-85423
01/16/2019, 5:04 PMlooks like it changes the output of the provider object and many things depend on that so it wants to update them
m
microscopic-florist-22719
01/16/2019, 6:14 PM
@orange-tailor-85423 can you elaborate a bit more on what you're seeing? Assuming you're using
@pulumi/ekso
orange-tailor-85423
01/16/2019, 6:26 PMso here's the roleMapping section from when the cluster gets stood up
orange-tailor-85423
01/16/2019, 6:26 PMroleMappings: [
{
roleArn: identityStack.getOutput("infrastructureManagementRoleArn"),
username: identityStack.getOutput("infrastructureManagementRoleArn"),
groups: ["system:masters"]
},
{
roleArn: identityStack.getOutput("applicationManagementRoleArn"),
username: identityStack.getOutput("applicationManagementRoleArn"),
groups: ["system:masters"]
},
orange-tailor-85423
01/16/2019, 6:27 PMshould I not be using the roleMappings to work with mapping developer/admin/dba to AWS IAM?
orange-tailor-85423
01/16/2019, 6:28 PMsubsequent objects leverage the cluster.provider:
orange-tailor-85423
01/16/2019, 6:28 PMso when the cluster changes, things that use that provider get replaced
orange-tailor-85423
01/16/2019, 6:31 PMI guess fundamentally after understanding IAM/RBAC in GCP I'm back to square one with AWS/EKS
m
microscopic-florist-22719
01/16/2019, 6:40 PM
so when the cluster changes, things that use that provider get replacedThis is the part that surprises me
microscopic-florist-22719
01/16/2019, 6:40 PM
The provider itself shouldn't be affected by the changes to the role mappings
microscopic-florist-22719
01/16/2019, 6:40 PM
Do you have an example diff?
microscopic-florist-22719
01/16/2019, 6:40 PM
(i.e. the output from a
pulumi previewo
orange-tailor-85423
01/16/2019, 6:40 PMsure
orange-tailor-85423
01/16/2019, 6:40 PMtearing down my cluster and rebuilding - will follow up
m
microscopic-florist-22719
01/16/2019, 6:40 PM
Also, what does
pulumi versiono
orange-tailor-85423
01/16/2019, 6:41 PMwill build it "as-is" - then add in my changes
m
microscopic-florist-22719
01/16/2019, 6:45 PM
thanks! 🙂
o
orange-tailor-85423
01/16/2019, 6:46 PMsorry for all the hassle
m
microscopic-florist-22719
01/16/2019, 6:47 PM
no worries--making EKS clusters easier to manage is something we care pretty deeply about
o
orange-tailor-85423
01/16/2019, 7:18 PM@microscopic-florist-22719 so I have my cluster- builds fine
orange-tailor-85423
01/16/2019, 7:18 PMhas some roleArn in roleMappings and some userMappings
orange-tailor-85423
01/16/2019, 7:18 PMupdate the roleMappings section with a new mapping:
orange-tailor-85423
01/16/2019, 7:19 PM{
roleArn: "arnawsiam:630000000674role/k8s.mb.developer",
username: "k8s.mb.developer:{{AccountID}}{{SessionName}}",
groups: ["k8s.mb.developer"]
}
orange-tailor-85423
01/16/2019, 7:19 PMrun preview
orange-tailor-85423
01/16/2019, 7:19 PM❯ pulumi preview
Previewing update (MINDBODY-Platform/eks-casey-robertson):
Type Name Plan Info
pulumipulumiStack eks-eks-casey-robertson
>- ├─ pulumipulumiStackReference identityStack read
├─ kuberneteshelm.shChart kube-state-metrics
+- │ ├─ kubernetesextensionsDeployment kube-state-metrics replace [diff: ~provider]
+- │ ├─ kubernetescoreService kube-state-metrics replace [diff: ~provider]
+- │ ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole kube-state-metrics replace [diff: ~provider]
+- │ ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding kube-state-metrics replace [diff: ~provider]
+- │ └─ kubernetescoreServiceAccount kube-state-metrics replace [diff: ~provider]
+- ├─ kubernetescoreNamespace dev replace [diff: ~provider]
└─ eksindexCluster cluster
+- ├─ pulumiproviderskubernetes cluster-provider replace [diff: ~kubeconfig]
+- ├─ awscloudformationStack cluster-nodes replace
+- └─ kubernetescoreConfigMap cluster-nodeAccess replace [diff: ~data]
Resources:
+-9 to replace
24 unchanged
orange-tailor-85423
01/16/2019, 7:20 PMsince the provider updates all these other things want to get replaced
orange-tailor-85423
01/16/2019, 7:20 PMthat's not good
w
white-balloon-205
01/17/2019, 6:16 AM
Opened https://github.com/pulumi/pulumi-eks/issues/46 to track this - I expect this is something we can improve.
2 Views