Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issue with blockDeviceMappings and snapshotID #7147

Open
uderik opened this issue Oct 2, 2024 · 5 comments
Open

issue with blockDeviceMappings and snapshotID #7147

uderik opened this issue Oct 2, 2024 · 5 comments
Assignees
@jmdeal
Labels
bug Something isn't working triage/needs-information Marks that the issue still needs more information to properly triage

Comments

@uderik
Copy link

uderik commented Oct 2, 2024

Description

Observed Behavior:
When specifying snapshotID for EBS in the blockDeviceMappings, we receive the following error: "You are not authorized to perform this operation". The error message from Amazon indicates that the AbsentTagComponent is not being set. If we remove the snapshotID, the instance launches without any issues. This happens because service control policy and tagging policy are enforced for all resources in our AWS environment.

Expected Behavior:
The instance should launch successfully with snapshotID provided, and the necessary tags should be applied to comply with the organization's tagging policy.

Reproduction Steps (Please include YAML):

  1. Ensure that service control policy and tagging policy are enabled for your AWS account.
  2. Include snapshotID in the blockDeviceMappings.
  3. Launch the instance.
  4. Observe the authorization error and missing tag components.

Versions:

  • Chart Version: 0.35.9
  • Kubernetes Version (Server Version: v1.29.7-eks-a18cd3a`):
@uderik uderik added bug Something isn't working needs-triage Issues that need to be triaged labels Oct 2, 2024
@jmdeal
Copy link
Contributor

jmdeal commented Oct 4, 2024

If I understand correctly, you have an SCP that requires snapshotIDs to be tagged correctly before they can be used when launching an instance, and you want Karpenter to observe the authorization error and tag the snapshots so that they comply. Is that correct? In my opinion this falls outside the scope of Karpenter's responsibilities. Is there a reason you think this should be handled by Karpenter and not somewhere else in the process, e.g. whenever you're creating these snapshots?

@jmdeal jmdeal added triage/needs-information Marks that the issue still needs more information to properly triage and removed needs-triage Issues that need to be triaged labels Oct 4, 2024
@uderik
Copy link
Author

uderik commented Oct 4, 2024

@jmdeal When I try to launch an instance using a snapshot, Karpenter doesn't apply tags to the instance itself, which leads to the following error from AWS:

{
  "allowed": false,
  "explicitDeny": true,
  "matchedStatements": {
    "items": [
      {
        "statementId": "AbsentTagComponent",
        "effect": "DENY",
        "principals": {
          "items": [
..............

However, when I launch an instance without using a snapshot, it starts without any issues. The snapshot already has all the necessary tags; otherwise, I wouldn't have been able to create it.

It seems like the problem arises because Karpenter is not adding tags to the instance when using a snapshot.

@jmdeal
Copy link
Contributor

jmdeal commented Oct 4, 2024

Got it, is there any reason specifying the tags on your NodeClass directly isn't an option? https://karpenter.sh/docs/concepts/nodeclasses/#spectags

@uderik
Copy link
Author

uderik commented Oct 4, 2024

All the necessary tags are specified, and there are no issues when launching instances. However, when I specify snapshotId for EBS, I get the error that I mentioned above.

@jmdeal
Copy link
Contributor

jmdeal commented Oct 5, 2024

Any tags specified in the EC2NodeClass are included in the launch template for the instance (as well as the EBS volume and the launch template itself). Are there additional tags that are required on the instance by your SCP when launching with a snapshot ID that aren't specified on the NodeClass? Are you able to share the API request that's getting denied?

@jmdeal jmdeal self-assigned this Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmdeal jmdeal

Labels
bug Something isn't working triage/needs-information Marks that the issue still needs more information to properly triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uderik @jmdeal