cdk-eks-blueprints icon indicating copy to clipboard operation
cdk-eks-blueprints copied to clipboard
verified publisher icon aws-quickstart

[BUG][Nodegroup] Deletion of cluster with Spot Managed Nodegroup results in Role deletion error

Open youngjeong46 opened this issue 3 years ago • 3 comments

I tried deleting a cluster with the following managed nodegroups:

{
          id: "mng-1",
          minSize: 1,
          maxSize: 5,
          desiredSize: 2,
          amiType: eks.NodegroupAmiType.AL2_X86_64,
          instanceTypes: [new ec2.InstanceType('m5.2xlarge')],
          nodeGroupCapacityType: eks.CapacityType.ON_DEMAND,
        },
        {
          id: "spot-1",
          instanceTypes: [
            new ec2.InstanceType('t2.xlarge'),
            new ec2.InstanceType('t3.xlarge'),
            new ec2.InstanceType('t3.small'),
          ],
          nodeGroupCapacityType: eks.CapacityType.SPOT,
        }

When deleting a cluster, the IAM Role for Spot Nodegroup cannot be deleted due to attached policy: AmazonSSMManagedInstanceCore

youngjeong46 avatar Apr 09 '22 23:04 youngjeong46

It is a known issue for all Isengard accounts and occurs due to Account Guardian onboarding and PVRE stacks. The account protection automatically injects the policy to the node group. This change is viewed by CFN as external, hence requiring to manually address (prevents deletion). There are two things we can do:

  1. Workaround: add the ssm agent add-on to your stack and it should take care of the issue.
  2. We can apply a shim, which will automatically add the aforementioned policy to the node group role.

Since both of these are specific to Isengard, I suggest we move forward with 1/ and create a shim for development purposes repurposing this issue. Could be a good "start" issue for new contributors.

shapirov103 avatar Apr 11 '22 19:04 shapirov103

I am seeing this beyond isengard and am receiving errors from CloudFormation attempting to delete NodeGroup Roles similar to this: eksblueprinttestingNodegroupeksblueprintsmngngNodeGroupRole26A8E201

ohschmidty avatar May 10 '22 23:05 ohschmidty

@daveschmidt86 if your example was leveraging an account onboarded to the Account Guardian (which is also the case for all (most) Isengard accounts) then this issue will happen. Other than the approach outlined in my previous comment, there is not much we can do atm.

@youngjeong46 please confirm the workaround works. Closing soon.

shapirov103 avatar Jun 17 '22 14:06 shapirov103

This issue has been automatically marked as stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Jul 21 '23 00:07 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Sep 19 '23 00:09 github-actions[bot]