community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon aws-controllers-k8s

eks cluster - InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true

Open tomitesh opened this issue 1 year ago • 2 comments

Describe the bug A concise description of what the bug is.

When Cluster is created with publicAccessCIDRs and endpointPublicAccess: true, it syncs successfully but shows terminal condition "InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true..."

Steps to reproduce

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Cluster
metadata:
  annotations:
    services.k8s.aws/deletion-policy: delete
  creationTimestamp: "2023-07-24T15:51:28Z"
  finalizers:
  - finalizers.eks.services.k8s.aws/Cluster
  generation: 50
  name: rancher
  namespace: control
  resourceVersion: "49720210"
  uid: c77c4b8e-e4f9-4644-be02-86571a103238
spec:
  kubernetesNetworkConfig:
    ipFamily: ipv4
    serviceIPv4CIDR: 172.20.0.0/16
  logging:
    clusterLogging:
    - enabled: true
      types:
      - api
      - audit
      - authenticator
      - controllerManager
      - scheduler
  name: rancher
  resourcesVPCConfig:
    endpointPrivateAccess: true
    endpointPublicAccess: true
    publicAccessCIDRs:
    - x.x.x.x/32
    - y.y.y.y/32
    securityGroupIDs:
    - sg-1234
    subnetIDs:
    - subnet-a
    - subnet-b
    - subnet-c
  roleARN: arn:aws:iam::12345:role/rancher-eks-cluster
  version: "1.25"
status:
  ackResourceMetadata:
    arn: arn:aws:eks:eu-central-1:12345:cluster/rancher
    ownerAccountID: "12345"
    region: eu-central-1
  certificateAuthority:
    data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFW********UVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  conditions:
  - lastTransitionTime: "2023-07-25T07:35:35Z"
    status: "True"
    type: ACK.ResourceSynced
  - message: |-
      InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: true, and Public Endpoint Restrictions: [x.x.x.x/32, y.y.y.y/32]
      {
        RespMetadata: {
          StatusCode: 400,
          RequestID: "5013d72e-cf58-4105-a9ea-783f3834126d"
        },
        ClusterName: "rancher",
        Message_: "Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: true, and Public Endpoint Restrictions: [x.x.x.x/32, y.y.y.y/32]"
      }
    status: "True"
    type: ACK.Terminal
  createdAt: "2023-07-24T12:43:22Z"
  endpoint: https://xxxxxxxxxxxxxx.yyy.eu-central-1.eks.amazonaws.com
  identity:
    oidc:
      issuer: https://oidc.eks.eu-central-1.amazonaws.com/id/xxxxxxxxxxxxxx
  platformVersion: eks.5
  status: ACTIVE

Expected outcome A concise description of what you expected to happen.

it should not go in to terminal condition if there is no change. it should not throw InvalidParameterException if there is no change

Environment

  • Kubernetes version 1.25
  • Using EKS (yes/no), if so version? 1.25
  • AWS service targeted (S3, RDS, etc.) EKS

tomitesh avatar Jul 25 '23 08:07 tomitesh

We are also seeing this on Cluster resources with above config. This prevents further updates to cluster resources like attaching an additional control plane.

kpanic9 avatar Mar 28 '24 03:03 kpanic9

Hi, I just bumped into the same issue. May it be related to the order of the CIDR in the list ?

demikl avatar Jun 28 '24 10:06 demikl

@demikl @kpanic9 @tomitesh @vflaux Release v1.4.2 in on the way!

Thanks you @vflaux!

a-hilaly avatar Jul 16 '24 18:07 a-hilaly