Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Troubleshooting section for IPv6 policy #705

Merged
merged 2 commits into from
Nov 11, 2024
Merged

docs: Troubleshooting section for IPv6 policy #705

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
40202ad
docs on eks v6 policy
alanty Nov 11, 2024
6c0d129
fix step numbers
alanty Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions website/docs/blueprints/data-analytics/spark-eks-ipv6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,7 @@ Ensure that you have installed the following tools on your machine.
2. [kubectl](https://Kubernetes.io/docs/tasks/tools/)
3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)


Before installing the cluster create a EKS IPv6 CNI policy. Follow the instructions from the link below:
Before installing the cluster create a EKS IPv6 CNI policy. Follow the instructions from the link:
[AmazonEKS_CNI_IPv6_Policy ](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy)

### Clone the repository
Expand Down
52 changes: 52 additions & 0 deletions website/docs/blueprints/troubleshooting/troubleshooting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,3 +236,55 @@ You will need to create the service linked role in the AWS account you're using
```sh
aws iam create-service-linked-role --aws-service-name spot.amazonaws.com
```

## Error: AmazonEKS_CNI_IPv6_Policy does not exist
If you encounter the error below when deploying a solution that supports IPv6:

```sh
│ Error: attaching IAM Policy (arn:aws:iam::1234567890:policy/AmazonEKS_CNI_IPv6_Policy) to IAM Role (core-node-group-eks-node-group-20241111182906854800000003): operation error IAM: AttachRolePolicy, https response error StatusCode: 404, RequestID: 9c99395a-ce3d-4a05-b119-538470a3a9f7, NoSuchEntity: Policy arn:aws:iam::1234567890:policy/AmazonEKS_CNI_IPv6_Policy does not exist or is not attachable.
```

### Issue Description:
The Amazon VPC CNI plugin requires IAM permission to assign IPv6 addresses so you must create an IAM policy and associate it with the role that the CNI will use. However, each IAM policy name must be unique in the same AWS account. This causes a conflict if the policy is created as part of the terraform stack and it is deployed multiple times.

To resolve this error you will need to create the Policy with the commands below. You should only need to do this once per AWS account.

### Solution:

1. Copy the following text and save it to a file named vpc-cni-ipv6-policy.json.

```sh
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssignIpv6Addresses",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2::*:network-interface/*"
]
}
]
}
```

2. Create the IAM policy.

```sh
aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json
```

3. Re-run the `install.sh` script for the blueprint
Loading