amazon-eks-ami icon indicating copy to clipboard operation
amazon-eks-ami copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Adjusted install-worker to redirect GovCloud

Open reelieuglie opened this issue 1 year ago • 2 comments

Issue #, if available: 1536

Description of changes:

Currently, the S3 bucket for the kubelet binary in us-gov-west-1 (and us-gov-east-1) returns an 403 - Access Denied HTTP Code when attempting to download it, when the binary_bucket_region variable is set to us-gov-west-1 or us-gov-east-1 instead of the default us-west-2.

I added a redirect from us-gov-west-1 and us-gov-east-1 to us-west-2 and us-east-2 repectively.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Step 1 - Adjusted file as noted above and in the diff (line numbers included)

279 # Updating binary_bucket_region variable to redirect from us-gov-west-1 and us-gov-east-1 to us-west-2 and us-east-2 respectively, as the buckets in GovCloud regions is returning Access Denieds
280 # https://github.com/awslabs/amazon-eks-ami/issues/1536
281 elif [ "$BINARY_BUCKET_REGION" = "us-gov-west-1" ]; then
282   BINARY_BUCKET_REGION="us-west-2"
283 elif [ "$BINARY_BUCKET_REGION" = "us-gov-east-1" ]; then
284   BINARY_BUCKET_REGION="us-east-2"

Without Line Numbers:

# Updating binary_bucket_region variable to redirect from us-gov-west-1 and us-gov-east-1 to us-west-2 and us-east-2 respectively, as the buckets in GovCloud regions is returning Access Denieds
# https://github.com/awslabs/amazon-eks-ami/issues/1536
elif [ "$BINARY_BUCKET_REGION" = "us-gov-west-1" ]; then
  BINARY_BUCKET_REGION="us-west-2"
elif [ "$BINARY_BUCKET_REGION" = "us-gov-east-1" ]; then
  BINARY_BUCKET_REGION="us-east-2"
fi

Step 2 - Change the bucket_binary_region variable in eks-worker-al2-variables.json (example provided assuming that the amazon-eks-ami the current working directory)

sed -i 's/\"binary_bucket_region\": \"us-west-2\"/\"binary_bucket_region\": \"us-gov-west-1\"/g' eks-worker-al2-variables.json

Step 3 - Built an AMI using packer as noted here: https://aws.amazon.com/blogs/containers/building-amazon-linux-2-cis-benchmark-amis-for-amazon-eks/ Example command:

 make 1.27 aws_region=$AWS_REGION source_ami_id=$AMI_ID source_ami_owners=$AMI_OWNER_ACCOUNT_ID source_ami_filter_name="$AMI_NAME" subnet_id="$SUBNET_ID"

Note: In addition to the variables in the above, you also need to set the kubernetes_version and kubernetes_build_date as the hack/latest-binaries.sh also throws an error in GovCloud. Here are the variables I used:

kubernetes_build_date=2023-11-14
kubernetes_version=1.27.7

See this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.

reelieuglie avatar Dec 04 '23 16:12 reelieuglie