/kind bug
1. What kops version are you running? The command kops version, will display
this information.
$ kops version
Client version: 1.34.0 (git-v1.34.0)
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
$ kubectl version
Client Version: v1.34.1
Kustomize Version: v5.7.1
Server Version: v1.34.1
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Just deployed a basic cluster.
5. What happened after the commands executed?
We have alerts in AWS to tell use with AWS API called are getting ACCESS_DENIED.
We were being alerted to these errors (redacted with variables replacing parts):
You are not authorized to perform this operation. User: arn:aws:sts::$AWS_ACCOUNT_ID:assumed-role/aws-cloud-controller-manager.kube-system.sa.$CLUSTER/1761098167384554152 is not authorized to perform: ec2:DescribeInstanceTopology because no identity-based policy allows the ec2:DescribeInstanceTopology action
6. What did you expect to happen?
No errors :)
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.
9. Anything else do we need to know?
I added an additional inline policy to the IAM role that kops created for now to fix the problem that looks like so:
{
"Statement": [
{
"Action": "ec2:DescribeInstanceTopology",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
/kind bug
1. What
kopsversion are you running? The commandkops version, will displaythis information.
2. What Kubernetes version are you running?
kubectl versionwill print theversion if a cluster is running or provide the Kubernetes version specified as
a
kopsflag.3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Just deployed a basic cluster.
5. What happened after the commands executed?
We have alerts in AWS to tell use with AWS API called are getting ACCESS_DENIED.
We were being alerted to these errors (redacted with variables replacing parts):
6. What did you expect to happen?
No errors :)
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yamlto display your cluster manifest.You may want to remove your cluster name and other sensitive information.
Shouldn't be required.8. Please run the commands with most verbose logging by adding the
-v 10flag.Paste the logs into this report, or in a gist and provide the gist link here.
9. Anything else do we need to know?
I added an additional inline policy to the IAM role that kops created for now to fix the problem that looks like so: