nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

AWS EKS cluster shows no associated resources

Open satra opened this issue 5 months ago • 6 comments

Context

When deploying on aws, I can see resources in my k9s console, but when i log in to EKS and pull up the cluster no cluster details are shown other than the cluster is running. no pods, no nodes, no configmaps, etc.,.

Value and/or benefit

would be good to monitor the resources from the aws console.

Anything else?

Image

satra avatar Jul 08 '25 23:07 satra

@satra are you using the same credentials to connect from k9s and from the console? If you're not using the same credentials that were used to deploy the cluster, you might not be able to see some specific resources on the EKS console, such as pods or nodes, unless you add the relevant permission. See https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html

marcelovilla avatar Jul 14 '25 11:07 marcelovilla

@marcelovilla - our iam credentials are managed through a federated auth. i'll check how to do this. essentially i think we are looking to add account privilege policy to the cluster.

more generally, we tried to have other members of the team without the same access/secret, but similar privileges make changes to the running cluster. we had to add this to aws-auth. it would be nice if this could be added to the config in some manner where multiple admins could have privileges to the cluster.

data:
  ...
  mapUsers: |
    - groups:
      - system:masters
      userarn: arn:aws:iam::<hidden>:user/***
      username: ***
    ...

if there is an alternate way of doing this, please let us know.

satra avatar Jul 14 '25 11:07 satra

Hey @satra, the current way to achieve that is by modifying the aws-auth secret, as you've already done. Currently, we don't have this option available as a configurable setting in Nebari, as handling this object without care could lead to more significant issues with overall Kubernetes access through Terraform.

Though I completely acknowledge that's valuable for such scenarios. I can have a look at this in the future, but a PR will always be welcomed :)

viniciusdc avatar Jul 22 '25 15:07 viniciusdc

@viniciusdc - this allowed access to the other person. in addition, we would like to know how to give proper access on the aws console itself, which still doesn't show any resources (the original question). i.e. how do i make the aws console show me resources that the cluster is creating/using.

also pinging @asmacdo here.

satra avatar Jul 29 '25 13:07 satra

Hey @asmacdo, I think you brought this up in the last community meeting, right? Have you had any luck on getting access? If I am not mistaken, the issue was that the cluster was re-created, and with that, a new ownership was in place as well as a clean AWS-auth configmap.

I also think this could be a good FAQ for the docs, if you have the chance to open a PR for it, I would be pleased to review it 🚀

viniciusdc avatar Aug 01 '25 16:08 viniciusdc

@viniciusdc - the issue i was seeing stemmed from being a federated user with admin privileges. we are checking internally to see if there is a way to get an arn for such an user. but for any iam users. if we add them to aws_auth, they can see the resources.

satra avatar Aug 01 '25 17:08 satra