Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix the security group issue #546

Merged
merged 1 commit into from
Jan 7, 2025
Merged

fix the security group issue #546

merged 1 commit into from
Jan 7, 2025

Conversation

wwvela
Copy link
Contributor

@wwvela wwvela commented Jan 7, 2025

Issue #, if available:

  • After I going through the control plane logs, I find the csr not approved and a bunch of unverified hosts. And this issue not always happened seems just flacky. I think we bump in this issue that EIP got attached around the same time when the certificate was published. The issue is happening when customer attaches the EIP to the worker node to Eth0. As a result the public IP address of the node changes from 3.85.202.226 to 3.237.215.201. When API server tries to validate the address, it fails as it doesn't recognize the original public IP address of the node. When kubelet creates a secondary certificate request after 20mins, it succeeds as the new certificate contains EIP address to it. But out test is already finished this time.
  • We see this is we use the default cluster security group and attached these netwok interface to it instead of use new EFA security group. And that's why we use newly created EFA security group and connect it with default security group instead of using it directly before.
  • To resolve this, we need to roll back the changes to use default cluster security group and handle the eni leakage clean up when deleting the unmanaged node group

mattcjo
mattcjo approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@mattcjo mattcjo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wwvela wwvela merged commit 63a9f38 into aws:main Jan 7, 2025
6 checks passed
wwvela added a commit to wwvela/aws-k8s-tester that referenced this pull request Jan 8, 2025
@wwvela
Revert "fix the security group issue (aws#546)"
3491e15 
This reverts commit 63a9f38.
cartermckinnon pushed a commit that referenced this pull request Jan 8, 2025
@wwvela
Revert "fix the security group issue (#546)" (#549)
c3d2cb1 
This reverts commit 63a9f38.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattcjo mattcjo mattcjo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wwvela @mattcjo