I'm trying to deploy cluster-autoscaler to an existing EKS cluster. here's my terraform code:
resource "aws_iam_policy" "cluster_autoscaler" {
name = "ClusterAutoscalerPolicy"
path = "/"
description = "Policy for allowing the cluster autoscaler to modify cluster resources. Managed by Terraform."
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeImages",
"ec2:GetInstanceTypesFromInstanceRequirements",
"eks:DescribeNodegroup"
],
"Resource": ["*"]
}
]
}
EOF
}
resource "aws_iam_role" "cluster_autoscaler" {
name = "EKS-ClusterAutoscaler-Role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
Federated = "${var.oidc_prvider_arn}"
},
Action = "sts:AssumeRoleWithWebIdentity",
Condition = {
StringEquals = {
"${var.oidc_prvider}:sub" : "system:serviceaccount:kube-system:cluster-autoscaler"
}
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
policy_arn = aws_iam_policy.cluster_autoscaler.arn
role = aws_iam_role.cluster_autoscaler.name
resource "helm_release" "cluster_autoscaler" {
name = "cluster-autoscaler"
repository = "https://kubernetes.github.io/autoscaler"
chart = "cluster-autoscaler"
version = "v9.35.0"
namespace = "kube-system"
set {
name = "autoDiscovery.clusterName"
value = var.cluster_name
}
set {
name = "awsRegion"
value = "eu-west-2"
}
set {
name = "rbac.create"
value = "true"
}
set {
name = "serviceAccount.create"
value = "true"
}
set {
name = "serviceAccount.name"
value = "cluster-autoscaler"
}
set {
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
value = var.cluster_autoscaler_role_arn
}
}
I have 2 problems here:
- cluster-autoscaler seems to ignore set values, for example "describe pod" shows me it's running as an account with a different name in kubernetes - Service Account: cluster-autoscaler-aws-cluster-autoscaler
2.patching it manually and annotating this service account with the role according to https://repost.aws/knowledge-center/eks-load-balancer-webidentityerr makes cluster-autoscaler go into a crashloop with
Failed to regenerate ASG cache: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity^ what am I doing wrong here? Your help would be highly appreciated. what am I doing wrong here? Your help would be highly appriciated.