containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

EKS request: Track CoreDNS and publish manifests, tags, compatibility matrix

Open StevenACoffman opened this issue 5 years ago • 5 comments

Tell us about your request In EKS, CoreDNS is a default addon. Currently the manifest for CoreDNS lives in lives in an S3 bucket and the container is built to an ECR registry we cannot list, so it is impossible to discover when AWS has blessed a new version for use in EKS. For instance, these directions tell people to: curl -o dns.yaml https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-02-11/dns.yaml This manifest points to 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.1.3 however I read in a support request that v1.2.2 was the new recommended default.

However, I see that 1.5.0 is out here

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Public insight into latest recommended and available CoreDNS for EKS

Are you currently working around this issue? Using upstream CoreDNS and carefully vetting in an otherwise useless ephemeral EKS cluster.

StevenACoffman avatar Apr 24 '19 12:04 StevenACoffman

We have our logs flooded with a coredns error when querying a TXT record that doesn't exist, this has been fixed in pull request 2291 with coredns, but I'm unsure whether the versions implementing that (1.3.0 and above) is safe to use with EKS k8s versions 1.11 and 1.12.

pwdebruin1 avatar Apr 26 '19 08:04 pwdebruin1

This will be partially solved as part of #252

tabern avatar Nov 15 '20 21:11 tabern

Is there any update?

posquit0 avatar Aug 26 '21 07:08 posquit0

I think the real problem here is simply that it's impossible to query any information from the "official" AWS ECR registries like 602401143452.dkr.ecr.us-east-1.amazonaws.com. I'm really confused why we can't just aws ecr describe-repositories --registry-id 602401143452 --repository-name eks/coredns; like, this seems like such an obvious thing to make available.

philomory avatar May 12 '22 02:05 philomory

A few months back I was trying to solve this exact issue, and found a way to handle it (in Terraform) to avoid needing to manage this at all.

First you can create a data object for the managed addon.

data "aws_eks_addon_version" "vpc_cni" {
  addon_name         = "vpc-cni"
  kubernetes_version = 1.27
  most_recent        = true
}

And then supplement that, feeding the value into your addon creation.

resource "aws_eks_addon" "vpc_cni" {
  cluster_name                = aws_eks_cluster.eks.id
  addon_name                  = "vpc-cni"
  resolve_conflicts_on_create = "OVERWRITE"
  resolve_conflicts_on_update = "OVERWRITE"
  addon_version               = data.aws_eks_addon_version.vpc_cni.version
}

I have the kubernetes_version set as a variable and is the same variable that feeds the cluster creation/upgrade, so that when I upgrade clusters, this isn't something I have to even bother paying attention to. All of the managed addons get upgraded during cluster upgrade every time now. Been through 3 cluster upgrades this way. FWIW the data object only returns AWS officially supported versions and so you don't have to consider that either.

bengaywins avatar Apr 24 '24 18:04 bengaywins

@bengaywins you're right, this data is now publicly available via the EKS Add-ons versions metadata API. Additionally, the coreDNS image is listed on ECR Public to see the manifest.

Resolving.

tabern avatar May 04 '24 00:05 tabern