community
community copied to clipboard
aws-controllers-k8s
RDS Instance goes into loop of publicly accessible: true/false after setting `publiclyAccessible: true` in the DBInstance CRD
Describe the bug I am managing an RDS instance using the rds-controller, and I am trying to make it publicly accessible. When I change the publiclyAccessible attribute to true on the DBInstance CRD following this documentation, the db instance goes into modifying state in the AWS console until it reaches available state and publicly accessible appears as true in the console, but then it goes back into modifying and publicly available appears as false in the console. This repeats in a loop.
I have made sure that the VPC in which the rds instance lives has an internet gateway and that the security group also allows for all traffic.
Steps to reproduce Create a DBInstance CRD matching the following spec:
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
annotations:
services.k8s.aws/deletion-policy: retain
services.k8s.aws/region: us-east-1
creationTimestamp: "2024-06-05T15:45:51Z"
finalizers:
- finalizers.rds.services.k8s.aws/DBInstance
generation: 23
name: test-iam
namespace: "844966915049"
resourceVersion: "292621"
uid: 162e4f79-3395-4aeb-9129-05672fcde802
spec:
allocatedStorage: 20
autoMinorVersionUpgrade: true
backupRetentionPeriod: 14
caCertificateIdentifier: rds-ca-rsa2048-g1
copyTagsToSnapshot: false
dbInstanceClass: db.t4g.micro
dbInstanceIdentifier: test-iam
dbSubnetGroupName: test-iam
deletionProtection: false
enableIAMDatabaseAuthentication: true
engine: postgres
engineVersion: "15.4"
iops: 3000
kmsKeyID: arn:aws:kms:us-east-1:844966915049:key/93892898-f2ed-4d0f-a3b1-9f3119b18286
licenseModel: postgresql-license
masterUserPassword:
key: DB_PASS
name: test-iam-master-password
namespace: "844966915049"
masterUsername: postgres
monitoringInterval: 0
multiAZ: true
performanceInsightsEnabled: false
preferredBackupWindow: 07:29-07:59
preferredMaintenanceWindow: tue:05:10-tue:05:40
publiclyAccessible: false
storageEncrypted: true
storageThroughput: 125
storageType: gp3
vpcSecurityGroupIDs:
- sg-0d3864b9aab326d26
status:
ackResourceMetadata:
arn: arn:aws:rds:us-east-1:844966915049:db:test-iam
ownerAccountID: "844966915049"
region: us-east-1
activityStreamStatus: stopped
certificateDetails:
cAIdentifier: rds-ca-rsa2048-g1
validTill: "2025-06-05T15:48:24Z"
conditions:
- lastTransitionTime: "2024-06-05T19:40:13Z"
status: "False"
type: ACK.ResourceSynced
- lastTransitionTime: "2024-06-05T19:40:13Z"
message: Late initialization successful
reason: Late initialization successful
status: "True"
type: ACK.LateInitialized
customerOwnedIPEnabled: false
dbInstancePort: 0
dbInstanceStatus: modifying
dbParameterGroups:
- dbParameterGroupName: default.postgres15
parameterApplyStatus: in-sync
dbSubnetGroup:
dbSubnetGroupDescription: test-iam
dbSubnetGroupName: test-iam
subnetGroupStatus: Complete
subnets:
- subnetAvailabilityZone:
name: us-east-1c
subnetIdentifier: subnet-04f3d46ce6dac8927
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: us-east-1a
subnetIdentifier: subnet-0faa637fa206fe3f1
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: us-east-1b
subnetIdentifier: subnet-0dcfc47539c67aa6c
subnetOutpost: {}
subnetStatus: Active
vpcID: vpc-00efa82eb9297e198
dbiResourceID: db-JYHYBXMBCELQ3ITFWMOXOGDBT4
endpoint:
address: test-iam.cqstwvvgbnee.us-east-1.rds.amazonaws.com
hostedZoneID: Z2R2ITUGPM61AM
port: 5432
iamDatabaseAuthenticationEnabled: true
instanceCreateTime: "2024-06-05T15:49:15Z"
latestRestorableTime: "2024-06-05T19:34:09Z"
optionGroupMemberships:
- optionGroupName: default:postgres-15
status: in-sync
pendingModifiedValues: {}
secondaryAvailabilityZone: us-east-1a
vpcSecurityGroups:
- status: active
vpcSecurityGroupID: sg-0d3864b9aab326d26
Set the publiclyAccessible attribute to true.
Expected outcome
A concise description of what you expected to happen.
The publiclyAccessible attribute should remain static
Environment
- Kubernetes version
- Using EKS (yes/no), if so version?
- AWS service targeted (S3, RDS, etc.)
- RDS
