eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard

Published 20 hours ago verified publisher icon eksctl-io

[Feature] Remove stack name prefix from IAM Role inline policy name created by well-known policy to extend a length of EKS Cluster name

Open jlandowner opened this issue 2 years ago • 1 comments

What feature/behavior/change do you want?

When creating iamserviceaccount with well-known policy, the created IAM Role inline policies have the stack name prefix. Actually IAM Role inline custom policy does not need the prefix to be unique in the role. My suggestion is to remove the stack name prefix from IAM Role inline policy name.

The purpose of the prefix seems to be to make the resource unique in the AWS account, but the IAM Role inline policy is fine if it is unique only within the IAM Role inline policies.

Why do you want this feature?

Currently it makes the limit of cluster name for users that the name must be less than EKS API supported cluster name length.

I found Cluster name is limited in 24 characters with aws load balancer controller well-known policy awsLoadBalancerController: true My cluster is running already so I cannot change the name and cannot create iamserviceaccount with it.

As AWS API docs, EKS Cluster name is supported max length 100 characters.

https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html#API_CreateCluster_RequestSyntax

Length Constraints: Minimum length of 1. Maximum length of 100.

However I met the error of too long policy name if cluster name length is longer than 25.

1 validation error detected: Value 'eksctl-[ClusterName]-addon-iamserviceaccount-kube-system-aws-load-balancer-controller-PolicyAWSLoadBalancerController' at 'policyName' failed to satisfy constraint: Member must have length less than or equal to 128 (Service: AmazonIdentityManagement;

Policy name's max length is 128 characters.

https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html

Length Constraints: Minimum length of 1. Maximum length of 128.

The generated policy name is eksctl-[ClusterName]-addon-iamserviceaccount-kube-system-aws-load-balancer-controller-PolicyAWSLoadBalancerController. It takes 104 characters excluding [ClusterName].

The prefix of "PolicyAWSLoadBalancerController" is just the CloudFormation stack name. And almost all users create a service account named aws-load-balancer-controller in kube-system namespace so it will be.

So cluster name can be only 24 characters with AWS Load Balancer Controller well-known policy. I think it is too short for general use.

Reproduction

eksctl version 0.109.0-rc.0

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: my-eksctl-cluster-1-v1-23 // <-- 25 characters name
  region: ap-northeast-1

iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    wellKnownPolicies:
      awsLoadBalancerController: true

$ eksctl create iamserviceaccount -f irsa.yaml --approve
2022-08-14 15:07:46 [ℹ]  1 existing iamserviceaccount(s) (kube-system/aws-node) will be excluded
2022-08-14 15:07:46 [ℹ]  1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules)
2022-08-14 15:07:46 [!]  serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override
2022-08-14 15:07:46 [ℹ]  1 task: { 
    2 sequential sub-tasks: { 
        create IAM role for serviceaccount "kube-system/aws-load-balancer-controller",
        create serviceaccount "kube-system/aws-load-balancer-controller",
    } }2022-08-14 15:07:46 [ℹ]  building iamserviceaccount stack "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2022-08-14 15:07:46 [ℹ]  deploying stack "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2022-08-14 15:07:46 [ℹ]  waiting for CloudFormation stack "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2022-08-14 15:08:16 [ℹ]  waiting for CloudFormation stack "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2022-08-14 15:08:57 [ℹ]  waiting for CloudFormation stack "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2022-08-14 15:26:14 [ℹ]  1 error(s) occurred and IAM Role stacks haven't been updated properly, you may wish to check CloudFormation console
2022-08-14 15:26:14 [✖]  waiter state transitioned to Failure

$ aws cloudformation describe-stack-events --stack-name eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller
...
            "EventId": "PolicyAWSLoadBalancerController-CREATE_FAILED-2022-08-14T06:25:17.733Z",
            "StackName": "eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller",
            "LogicalResourceId": "PolicyAWSLoadBalancerController",
            "ResourceType": "AWS::IAM::Policy",
            "ResourceStatus": "CREATE_FAILED",
            "ResourceStatusReason": "1 validation error detected: Value 'eksctl-my-eksctl-cluster-1-v1-23-addon-iamserviceaccount-kube-system-aws-load-balancer-controller-PolicyAWSLoadBalancerController' at 'policyName' failed to satisfy constraint: Member must have length less than or equal to 128 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: xxxxxxx; Proxy: null)",
...

It will pass if cluster name is my-eksctl-cluster1-v1-23, 24 characters.

Related issues

https://github.com/weaveworks/eksctl/issues/4242

jlandowner avatar Aug 15 '22 00:08 jlandowner

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Sep 14 '22 02:09 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Oct 15 '22 02:10 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Oct 21 '22 02:10 github-actions[bot]

The PR #5615 is still waiting for review. Please reopen.

jlandowner avatar Oct 21 '22 03:10 jlandowner

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Nov 22 '22 02:11 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Dec 23 '22 01:12 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jan 23 '23 01:01 github-actions[bot]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Feb 23 '23 01:02 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Feb 28 '23 02:02 github-actions[bot]

Thanks for posting this. It's a shame it got left stale, but at least now I know to limit my eksctl cluster names to 24 characters.

matschaffer-roblox avatar Jun 04 '23 19:06 matschaffer-roblox