By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Fargate workloads not working on EKS cluster with "EKS API and ConfigMap" auth mode

1

We are in the process to migrate our clusters from the legacy aws-auth ConfigMap to the new API auth mode

IAM Access Entries have been created for our Fargate profiles and everything appears to be configured properly as far as we can tell. The aws-auth ConfigMap contains one remaining entry, not related to fargate

When deploying new pods that should be scheduled on Fargate, they are grabbed by the fargate-scheduler but fail with the message : fargate profile scheduler blocked for new launches due to: Pod execution role is not found in auth config or does not have all required permissions for launching fargate pods.

Based on our understanding, since there are access entries for the fargate profile we should not need to use the aws-auth map.
Have we misunderstood something? Do you have any pointers to what might be misconfigured?

Update: even when recreating the entries in the aws-auth ConfigMap, the same errors occurs

Topics
Security, Identity, & ComplianceServerlessContainers
Tags
AWS Identity and Access ManagementAWS FargateAmazon Elastic Kubernetes Service
Language
English
NIGo
asked a year ago825 views
3 Answers
1
Accepted Answer

In the end, this is what worked for us to migrate from a ConfigMap authentication mode to API only without downtime

With a long delay (days) between each task:

  • update the cluster from CONFIG_MAP to API_AND_CONFIG_MAP (this will create access entries for Fargate and managed node groups), do not touch the ConfigMap content
  • create our own access entries for accounts needing them, still without updating the ConfigMap content
  • switch the cluster to API only
  • delete the aws-auth ConfigMap, as it is no longer needed
NIGo
answered a year ago
profile picture
EXPERT
Oleksii Bebych
reviewed a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a year ago
1

This is not a good answer, but it appears that by deleting and re-recreating the Fargate profiles, everything starts working again

NIGo
answered a year ago
0

I can confirm the same behavior after recently migrating to access entries. I can also confirm the "workaround" of deleting the fargate profiles and recreating them works to resolve it but it is not ideal and may not be possible for all workloads.

Still, thanks to @NIGo for that nudge.

theZMC
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content