Fargate workloads not working on EKS cluster with "EKS API and ConfigMap" auth mode

1

We are in the process to migrate our clusters from the legacy aws-auth ConfigMap to the new API auth mode

IAM Access Entries have been created for our Fargate profiles and everything appears to be configured properly as far as we can tell. The aws-auth ConfigMap contains one remaining entry, not related to fargate

When deploying new pods that should be scheduled on Fargate, they are grabbed by the fargate-scheduler but fail with the message : fargate profile scheduler blocked for new launches due to: Pod execution role is not found in auth config or does not have all required permissions for launching fargate pods.

Based on our understanding, since there are access entries for the fargate profile we should not need to use the aws-auth map.
Have we misunderstood something? Do you have any pointers to what might be misconfigured?

Update: even when recreating the entries in the aws-auth ConfigMap, the same errors occurs

3개 답변
1
수락된 답변

In the end, this is what worked for us to migrate from a ConfigMap authentication mode to API only without downtime

With a long delay (days) between each task:

  • update the cluster from CONFIG_MAP to API_AND_CONFIG_MAP (this will create access entries for Fargate and managed node groups), do not touch the ConfigMap content
  • create our own access entries for accounts needing them, still without updating the ConfigMap content
  • switch the cluster to API only
  • delete the aws-auth ConfigMap, as it is no longer needed
NIGo
답변함 한 달 전
profile picture
전문가
검토됨 한 달 전
profile picture
전문가
검토됨 한 달 전
1

This is not a good answer, but it appears that by deleting and re-recreating the Fargate profiles, everything starts working again

NIGo
답변함 3달 전
0

I can confirm the same behavior after recently migrating to access entries. I can also confirm the "workaround" of deleting the fargate profiles and recreating them works to resolve it but it is not ideal and may not be possible for all workloads.

Still, thanks to @NIGo for that nudge.

theZMC
답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠