eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard
verified publisher icon eksctl-io

`eksctl update addon` with `version: latest` and `useDefaultPodIdentityAssociations` fails

Open cPu1 opened this issue 1 year ago • 6 comments

From a user on Slack:

eksctl update addon fails for this config file:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
availabilityZones:
  - us-east-1a
  - us-east-1b
  - us-east-1c
metadata:
  name: cluster-79
  region: us-east-1
  version: "1.28"
addons:
  - name: eks-pod-identity-agent
  - name: aws-ebs-csi-driver
    podIdentityAssociations:
    - serviceAccountName: ebs-csi-controller-sa
      namespace: kube-system
      permissionPolicyARNs: ["arn:aws:iam::XXXXXXXXXXXX:policy/ebs-csi-policy"]
  - name: vpc-cni
    version: latest
    useDefaultPodIdentityAssociations: true

2024-06-18 13:45:07 [ℹ] Kubernetes version "1.28" in use by cluster "cluster-79" 2024-06-18 13:45:08 [ℹ] no new version provided, preserving existing version: v1.2.0-eksbuild.1 2024-06-18 13:45:08 [ℹ] updating addon 2024-06-18 13:45:19 [ℹ] addon "eks-pod-identity-agent" active 2024-06-18 13:45:20 [ℹ] no new version provided, preserving existing version: v1.31.0-eksbuild.1 2024-06-18 13:45:21 [ℹ] updating IAM resources stack "eksctl-cluster-79-addon-aws-ebs-csi-driver-podidentityrole-ebs-csi-controller-sa" for pod identity association "a-xpaah4j4xsvt9af6l" 2024-06-18 13:45:22 [ℹ] waiting for CloudFormation changeset "eksctl-kube-system-ebs-csi-controller-sa-update-1718714721" for stack "eksctl-cluster-79-addon-aws-ebs-csi-driver-podidentityrole-ebs-csi-controller-sa" 2024-06-18 13:45:22 [ℹ] nothing to update 2024-06-18 13:45:22 [ℹ] IAM resources for kube-system/ebs-csi-controller-sa (pod identity association ID: a-xpaah4j4xsvt9af6l) are already up-to-date 2024-06-18 13:45:22 [ℹ] updating addon 2024-06-18 13:46:04 [ℹ] addon "aws-ebs-csi-driver" active

Error: getting recommended policies for addon vpc-cni

eksctl needs to resolve the keyword latest to the latest version before attempting to describe recommended policies for an addon.

cPu1 avatar Jun 18 '24 14:06 cPu1

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jul 20 '24 01:07 github-actions[bot]

This is also failing on the latest version of eksctl - is there any update on when this can be fixed?

stevejr avatar Oct 18 '24 09:10 stevejr

+1 on running into this issue with eksctl 0.204.0

twarkie avatar Feb 14 '25 12:02 twarkie

Still an issue as of eksctl 0.205.0 when trying to migrate an existing addon from IRSA to Pod Identities.

When running:

eksctl update addon -f config.yaml

with config:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: <redacted>

addons:
  - name: vpc-cni
    version: 1.19.3
    useDefaultPodIdentityAssociations: true

Output fails with:

Error: getting recommended policies for addon vpc-cni

Update

Works when using the full version number:

v1.19.3-eksbuild.1 instead of 1.19.3.

Will use this workaround for now.

Loucool111 avatar Mar 13 '25 12:03 Loucool111

Still an issue with eksctl version: 0.208.0-dev

Workaround with full vpc-cni version works for me.

nikitamarchenko avatar Jun 05 '25 10:06 nikitamarchenko

Same issue for EFS CSI addon with eksctl version: 0.215.0 The workaround is also valid in this case. But "latest" must be supported !

bartleboeuf avatar Oct 17 '25 13:10 bartleboeuf