Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency between eks-pod-identity-agent and CNI #3260

Open
vietwow opened this issue Dec 28, 2024 · 4 comments
Open

Dependency between eks-pod-identity-agent and CNI #3260

vietwow opened this issue Dec 28, 2024 · 4 comments
Labels
question

Comments

@vietwow
Copy link

vietwow commented Dec 28, 2024

Hi,

I have just found the situation that we want to create EKS cluster with managed add-on Pod Identity and VPC-CNI using Pod Identity. My code looks like that :

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.31.6"

  ...
  cluster_addons = {
    eks-pod-identity-agent = {
      most_recent = true
    }

    vpc-cni = {
      before_compute = true
      most_recent    = true
      pod_identity_role_arn = {
        role_arn        = local.aws_vpc_cni_pod_identity_role_arn
        service_account = local.aws_vpc_cni_serviceaccount_name
      }
    }

    ...[other add-ons]...
  }
  ...
}

So the problem is terraform (randomly) create vpc-cni before eks-pod-identity-agent is created, this leads to VPC-CNI add-on crash.

So I'm not sure how we can solve this dependency problem. Hope to get help on this. Thank you so much.

Best Regards,
VietNC
@bryantbiggs
Copy link
Member

this is not something that we will be able to explicitly control within the module - we cannot control the specific ordering of addons across an unknown variable of addons

@vietwow
Copy link
Author

vietwow commented Jan 6, 2025

@bryantbiggs. However, as of now, it feels like a circular dependency when using pod identity with CNI in this module, because:

  • Terraform waits for the node groups to become healthy, which only happens when their status is "Ready." This means that the CNI must be set up properly first.
  • Node never be ready if it got this issue.

@bryantbiggs
Copy link
Member

Why are you waiting on compute if you aren't configuring anything on the CNI?

@vietwow
Copy link
Author

vietwow commented Jan 7, 2025
edited
Loading

it's not me but terraform, let me describe again the issue, the situation is I want to deploy an EKS cluster with managed CNI using Pod Identity (like terraform above I posted). The problem is :

  • terraform CLI creates managed CNI add-on before eks-pod-identity-agent addon (Note: this is randomly) => so CNI crashed (because it requires eks-pod-identity-agent first)
  • terraform module "terraform-aws-eks" create nodegroups parallels with CNIs, and terraform CLI (not me) waits for the node groups to become healthy (which only happens when their status is "Ready"), and because CNI was crashed so nodegroups never become healththy

Not sure if there is something wrong from my understand. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @vietwow