By using AWS re:Post, you agree to the Terms of Use
/EKS NodeGroup - The aws-auth ConfigMap in your cluster is invalid/

EKS NodeGroup - The aws-auth ConfigMap in your cluster is invalid

0

Hi there,

I've got an issue with an EKS node group where I cannot delete it.

I've provisioned the EKS cluster with Terraform and configured aws-auth as per documentation below:

https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

I've admin access to the cluster, I also have deployments running and worker nodes connected. My ConfigMap can be seen below:

$ kubectl describe configmap -n kube-system aws-auth
Name: aws-auth
Namespace: kube-system
Labels:
Annotations:

Data
====
mapRoles:
----
- rolearn: arn:aws:iam::000000000000:role/cluster-role
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::000000000000:role/node-group-role
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::000000000000:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_AdministratorAccess
username: {{SessionName}}
groups:
- system:masters

Events: <none>

When I attempt to delete the node group, either via Terraform or using AWS Console, I get the following error listed under Health Issues:

"AccessDenied The aws-auth ConfigMap in your cluster is invalid."

I did not get this error when I created the node group, and I can't work out what exactly is wrong with my ConfigMap.

Any suggestions?

asked a year ago12 views
1 Answers
0

I've resolved the problem by deleting the aws-auth ConfigMap from the kube-system namespace. This allowed me to delete the node group from the cluster.

Note that when you create an EKS cluster, the IAM entity user that creates the cluster is automatically granted system:masters permissions in the cluster's RBAC configuration in the control plane. This IAM entity does not appear in the ConfigMap, but can be used to get access to the cluster.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions