You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scale back in deployment to trigger instance termination
Expected behaviour
Nodes should be terminated
Actual behaviour
Instance are not terminated and controller logs:
{"level":"ERROR","time":"2023-11-04T19:59:21.653Z","logger":"controller","message":"Reconciler error","commit":"1072d3b","controller":"node.termination","controllerGroup":"","controllerKind":"Node","Node":{"name":"ip-REDACTED.eu-central-1.compute.internal"},"namespace":"","name":"ip-REDACTED.eu-central-1.compute.internal","reconcileID":"5da575eb-5271-400c-8b89-ccde1c977275","error":"terminating cloudprovider instance, terminating instance, UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::REDACTED:assumed-role/karpenter-20231104182048115600000018/1699126836611442743 is not authorized to perform: ec2:TerminateInstances on resource: arn:aws:ec2:eu-central-1:REDACTED:instance/i-REDACTED because no identity-based policy allows the ec2:TerminateInstances action.
Additional context
var.eks_karpenter_version is 0.32.1
The text was updated successfully, but these errors were encountered:
For now, I would not set the name tag on the nodes and the permissions will work as intended. We will be updating the permissions for Karpenter to re-align with the upstream project in #286
Description
The Karpenter controller is not able to reconcile instances to be deleted if their name does not include Karpenter.
Looking at the code it seems that the IAM policy for the IRSAis expecting the name to always include
karpenter
(see link )Before you submit an issue, please perform the following first:
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!):rm -rf .terraform/
terraform init
Versions
Terraform v1.6.1
on linux_amd64
Terraform v1.6.1
on linux_amd64
Reproduction Code [Required]
Steps to reproduce the behavior:
Expected behaviour
Nodes should be terminated
Actual behaviour
Instance are not terminated and controller logs:
{"level":"ERROR","time":"2023-11-04T19:59:21.653Z","logger":"controller","message":"Reconciler error","commit":"1072d3b","controller":"node.termination","controllerGroup":"","controllerKind":"Node","Node":{"name":"ip-REDACTED.eu-central-1.compute.internal"},"namespace":"","name":"ip-REDACTED.eu-central-1.compute.internal","reconcileID":"5da575eb-5271-400c-8b89-ccde1c977275","error":"terminating cloudprovider instance, terminating instance, UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::REDACTED:assumed-role/karpenter-20231104182048115600000018/1699126836611442743 is not authorized to perform: ec2:TerminateInstances on resource: arn:aws:ec2:eu-central-1:REDACTED:instance/i-REDACTED because no identity-based policy allows the ec2:TerminateInstances action.
Additional context
var.eks_karpenter_version
is 0.32.1The text was updated successfully, but these errors were encountered: