Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems creating first LoadBalancer in brand-new AWS account #16218

Closed
justinsb opened this issue Jan 4, 2024 · 4 comments
Closed

Problems creating first LoadBalancer in brand-new AWS account #16218

justinsb opened this issue Jan 4, 2024 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@justinsb
Copy link
Member

justinsb commented Jan 4, 2024
edited
Loading

/kind bug

@ameukam observed a problem creating services of type LoadBalancer in a brand new AWS account.

In https://storage.googleapis.com/kubernetes-jenkins/logs/ci-aws-kops-eks-pod-identity-sandbox/1742899966826778624/artifacts/cluster-info/kube-system/aws-cloud-controller-manager-sshfn/aws-cloud-controller-manager.log we found this error:

I0104 13:38:18.926043 1 aws_loadbalancer.go:1017] Creating load balancer for deployment-8855/test-rolling-update-with-lb with name: adaa9d6372b254401baef4dd8faeb0d4 E0104 13:38:19.807666 1 controller.go:298] error processing service deployment-8855/test-rolling-update-with-lb (retrying with exponential backoff): failed to ensure load balancer: AccessDenied: User: arn:aws:sts::808842816990:assumed-role/aws-cloud-controller-manager.kube-system.sa.e2e-kops-eks--9pmkdr/1704375497398309729 is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::808842816990:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing because no identity-based policy allows the iam:CreateServiceLinkedRole action status code: 403, request id: 7edfd319-c55f-4381-9f12-32242008b8f7 

I0104 13:38:19.807812 1 event.go:307] "Event occurred" object="deployment-8855/test-rolling-update-with-lb" fieldPath="" kind="Service" apiVersion="v1" type="Warning" reason="SyncLoadBalancerFaile

(Specifically: "no identity-based policy allows the iam:CreateServiceLinkedRole action status code")

@rifelpet pointed out that someone needs to call iam:CreateServiceLinkedRole before we can use ELB (and possibly other services). That could be in our CCM permissions, we could do it from the kOps CLI, we could require users to do it manually.

@rifelpet also pointed out that CCM and LBC both document the permission as needed:

https://github.com/kubernetes/cloud-provider-aws/blob/65e4f1ac4dbed33744b1e935892417d5c71ae43c/docs/prerequisites.md?plain=1#L77

https://github.com/search?q=repo%3Akubernetes-sigs%2Faws-load-balancer-controller%20CreateServiceLinkedRole&type=code
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jan 4, 2024
ameukam added a commit to ameukam/kops that referenced this issue Jan 4, 2024
@ameukam
Add permission needed for service-linked role creation
ce340c6 
Attempting to fix:
  - kubernetes#16218

by adding the permission needed for the AWS CCM to create a service-linked role for the elastic lb service.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
@ameukam ameukam mentioned this issue Jan 4, 2024
Merged
@ameukam
Copy link
Member

ameukam commented Jan 5, 2024

Add the required IAM permission was enough to make the test green.
I think we can close.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 4, 2024
@ameukam
Copy link
Member

ameukam commented Apr 4, 2024

/close

@k8s-ci-robot
Copy link
Contributor

@ameukam: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@clayrisser clayrisser mentioned this issue Apr 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@justinsb @ameukam @k8s-ci-robot @k8s-triage-robot