New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_eks: error retrieving RESTMappings to prune #23376
Comments
Can you share exactly what you're changing in your app between the first and second deployment, as well as sharing the |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
@peterwoodworth The change can be as trivial as updating the image tag for the deployment pod, updating environment variable values on the deployment, changing the ingress. Any change at all will cause this error to happen. For what its worth, this is definitely a CDK issue because I have tried with |
@peterwoodworth I discovered that none of the kubectl layers being distributed by the CDK team contains any kubectl greater than
Until that's fixed, we are building our own custom kubectl layer containing kubectl 1.24.8. We'll also be able to independently evolve the kubectl version we use as we upgrade the EKS versions in the future. Sounds alright to me. |
I don't have any Ingress in my cluster, but I also have the same issue. (.venv) xxx@xxxx cdk2-eks % cdk diff
Stack Cdk2EksStack
Resources
[~] Custom::AWSCDK-EKS-KubernetesResource hello-eks/manifest-ADOT-ClusterRoleBinding/Resource helloeksmanifestADOTClusterRoleBindingB50C231E
└─ [~] Manifest
├─ [-] [{"kind":"ClusterRoleBinding","apiVersion":"rbac.authorization.k8s.io/v1","metadata":{"name":"aoc-agent-role-binding","namespace":"amazon-metrics","labels":{"aws.cdk.eks/prune-c80bb8ca89a214719f1c394396bfe48688e41b066e":""}},"subjects":[{"kind":"ServiceAccount","name":"aws-otel-sa","namespace":"aws-otel-eks"}],"roleRef":{"kind":"ClusterRole","name":"aoc-agent-role","apiGroup":"rbac.authorization.k8s.io"}}]
└─ [+] [{"kind":"ClusterRoleBinding","apiVersion":"rbac.authorization.k8s.io/v1","metadata":{"name":"aoc-agent-role-binding","namespace":"amazon-metrics","labels":{"aws.cdk.eks/prune-c80bb8ca89a214719f1c394396bfe48688e41b066e":""}},"subjects":[{"kind":"ServiceAccount","name":"aws-otel-sa","namespace":"amazon-metrics"}],"roleRef":{"kind":"ClusterRole","name":"aoc-agent-role","apiGroup":"rbac.authorization.k8s.io"}}] Error message: Cdk2EksStack: creating CloudFormation changeset...
11:34:10 PM | UPDATE_FAILED | Custom::AWSCDK-EKS-KubernetesResource | helloeksmanifestAD...oleBindingB50C231E
Received response status [FAILED] from custom resource. Message returned: Error: b'clusterrolebinding.rbac.authorization.k8s.io/a
oc-agent-role-binding configured\nerror: error retrieving RESTMappings to prune: invalid resource extensions/v1beta1, Kind=Ingres
s, Namespaced=true: no matches for kind "Ingress" in version "extensions/v1beta1"\n'
Logs: /aws/lambda/Cdk2EksStack-awscdkawseksKubectlPr-Handler886CB40B-cB9kptoidq5f
at invokeUserFunction (/var/task/framework.js:2:6)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:1:365)
at async Runtime.handler (/var/task/cfn-response.js:1:1543) (RequestId: 70cd68fa-720f-4a21-9112-de3cdd50d6c3)
11:34:29 PM | UPDATE_FAILED | Custom::AWSCDK-EKS-KubernetesResource | helloeksmanifestAD...oleBindingB50C231E
Received response status [FAILED] from custom resource. Message returned: Error: b'clusterrolebinding.rbac.authorization.k8s.io/a
oc-agent-role-binding configured\nerror: error retrieving RESTMappings to prune: invalid resource extensions/v1beta1, Kind=Ingres
s, Namespaced=true: no matches for kind "Ingress" in version "extensions/v1beta1"\n'
Logs: /aws/lambda/Cdk2EksStack-awscdkawseksKubectlPr-Handler886CB40B-cB9kptoidq5f
at invokeUserFunction (/var/task/framework.js:2:6)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:1:365)
at async Runtime.handler (/var/task/cfn-response.js:1:1543) (RequestId: 473c8b09-c148-47cc-84b5-cd2f4e974b11)
❌ Cdk2EksStack failed: Error: The stack named Cdk2EksStack failed to deploy: UPDATE_ROLLBACK_FAILED (The following resource(s) failed to update: [helloeksmanifestADOTClusterRoleBindingB50C231E]. ): Received response status [FAILED] from custom resource. Message returned: Error: b'clusterrolebinding.rbac.authorization.k8s.io/aoc-agent-role-binding configured\nerror: error retrieving RESTMappings to prune: invalid resource extensions/v1beta1, Kind=Ingress, Namespaced=true: no matches for kind "Ingress" in version "extensions/v1beta1"\n'
Logs: /aws/lambda/Cdk2EksStack-awscdkawseksKubectlPr-Handler886CB40B-cB9kptoidq5f
at invokeUserFunction (/var/task/framework.js:2:6)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:1:365)
at async Runtime.handler (/var/task/cfn-response.js:1:1543) (RequestId: 70cd68fa-720f-4a21-9112-de3cdd50d6c3)
at FullCloudFormationDeployment.monitorDeployment (/Users/huadebin/node_modules/aws-cdk/lib/api/deploy-stack.ts:505:13)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
at deployStack2 (/Users/huadebin/node_modules/aws-cdk/lib/cdk-toolkit.ts:265:24)
at /Users/huadebin/node_modules/aws-cdk/lib/deploy.ts:39:11
at run (/Users/huadebin/node_modules/p-queue/dist/index.js:163:29)
❌ Deployment failed: Error: Stack Deployments Failed: Error: The stack named Cdk2EksStack failed to deploy: UPDATE_ROLLBACK_FAILED (The following resource(s) failed to update: [helloeksmanifestADOTClusterRoleBindingB50C231E]. ): Received response status [FAILED] from custom resource. Message returned: Error: b'clusterrolebinding.rbac.authorization.k8s.io/aoc-agent-role-binding configured\nerror: error retrieving RESTMappings to prune: invalid resource extensions/v1beta1, Kind=Ingress, Namespaced=true: no matches for kind "Ingress" in version "extensions/v1beta1"\n'
Logs: /aws/lambda/Cdk2EksStack-awscdkawseksKubectlPr-Handler886CB40B-cB9kptoidq5f
at invokeUserFunction (/var/task/framework.js:2:6)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:1:365)
at async Runtime.handler (/var/task/cfn-response.js:1:1543) (RequestId: 70cd68fa-720f-4a21-9112-de3cdd50d6c3)
at deployStacks (/Users/huadebin/node_modules/aws-cdk/lib/deploy.ts:61:11)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
at CdkToolkit.deploy (/Users/huadebin/node_modules/aws-cdk/lib/cdk-toolkit.ts:339:7)
at exec4 (/Users/huadebin/node_modules/aws-cdk/lib/cli.ts:384:12)
Stack Deployments Failed: Error: The stack named Cdk2EksStack failed to deploy: UPDATE_ROLLBACK_FAILED (The following resource(s) failed to update: [helloeksmanifestADOTClusterRoleBindingB50C231E]. ): Received response status [FAILED] from custom resource. Message returned: Error: b'clusterrolebinding.rbac.authorization.k8s.io/aoc-agent-role-binding configured\nerror: error retrieving RESTMappings to prune: invalid resource extensions/v1beta1, Kind=Ingress, Namespaced=true: no matches for kind "Ingress" in version "extensions/v1beta1"\n'
Logs: /aws/lambda/Cdk2EksStack-awscdkawseksKubectlPr-Handler886CB40B-cB9kptoidq5f
at invokeUserFunction (/var/task/framework.js:2:6)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async onEvent (/var/task/framework.js:1:365)
at async Runtime.handler (/var/task/cfn-response.js:1:1543) (RequestId: 70cd68fa-720f-4a21-9112-de3cdd50d6c3) |
The main problem happened with this PR: #22677 last November. Trying to externalize lambda assets to reduce the size end up with hardcoding the kubectl layer to version 20 packages/@aws-cdk/lambda-layer-kubectl/lib/kubectl-layer.ts And of course the related package.json dependency. Before this PR, kubectl version was parameterized with We need to find a more flexible solution that depends on the Kubernetes version installed or let it be a parameter. |
OK, Digging deeper I found the solution !!!! First you need to import the version of kubectl that matches you current cluster to the CDK project dependencies. Now in your stack you need to import the Kubectl layer as: And while creating the cluster you need to specify the Kubectl layer version as a one of the Clusterprops As a complete example:
I tested this solution and it is working fine. Documentation should be clear and change this prop to a mandatory prop as it can cause breaking problems. |
Thank you so much for your investigation @AlyIbrahim, how would you specifically suggest improving the documentation here? |
@peterwoodworth Thanks for your response .. I suggest the following:
I see that you had part of this already with the parameter but it's down below and the regular user will not realize that this prop is required above v20. so unless the user read all doc for all the props it's not easy to understand this breaking change .. Another option is to make the option mandatory to force users to know about the prop, but proper documentation can avoid this. |
@peterwoodworth More importantly are you planning to maintain lambda-layer-kubectl package for versions above v24? |
Thanks for the suggestions @AlyIbrahim, are you interested in creating a PR with your suggested changes? I think we'd want to keep the prop optional and just stick with just documentation adjustments.
I'm not sure - @pahud do you know what the plan for this is? Also @pahud, could you see about creating a PR for this if @AlyIbrahim isn't able to contribute? |
@peterwoodworth |
@peterwoodworth Yes, lambda-layer-kubectl is maintained by the cdk core team at https://github.com/cdklabs/awscdk-asset-kubectl and it upgrades the v24 on the daily basis with github actions https://github.com/cdklabs/awscdk-asset-kubectl/actions/workflows/upgrade-kubectl-v24-main.yml Agree to have a PR to elaborate more about the info and usage. @AlyIbrahim I believe you can find the required info at https://github.com/cdklabs/awscdk-asset-kubectl. Is this something you are looking for? |
@pahud I am looking for newer versions 25, 26, etc once they are available. For the PR, I couldn't find the API Reference documentation in this repository, I may have missed it. Can you point me to it so I can file the PR? |
@AlyIbrahim our API reference documentation is automatically generated from our codebase. To update a module's If you want to change documentation particular to one of the constructs, you'd want to edit the comments above whichever construct/property you want to change. See here, the comments in the code match up with the descriptions on the API ref aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster.ts Lines 1153 to 1159 in 7555d47
|
Hello Team. We are impacted as well with |
Thanks @AlyIbrahim , this is really very helpful. |
We have a feature request for aws-eks 1.25 support now - #24282 At the same time, if you need the kubectl layer 1.25 assets, please give an upvote on cdklabs/awscdk-asset-kubectl#166 |
So I assume this issue is due to lack of the explicit |
For those using python cdk - I was able to get this running with the following: npm install -s @aws-cdk/lambda-layer-kubectl-v24
pip install aws-cdk.lambda-layer-kubectl-v24 from aws_cdk.lambda_layer_kubectl_v24 import KubectlV24Layer
cluster = aws_eks.Cluster(self, 'cluster',
masters_role=self._eks_admin_role,
vpc=self._host_vpc, # private_subnet_ids
vpc_subnets=[ec2.SubnetSelection(subnet_filters=[ec2.SubnetFilter.by_ids(private_subnet_ids)])],
default_capacity=0,
version=aws_eks.KubernetesVersion.V1_24,
output_cluster_name=True,
output_masters_role_arn=True,
role=self._eks_admin_role,
kubectl_layer=KubectlV24Layer(self, 'KubectlV24Layer'),
) Not that much different than the typescript version, but took a bit of digging to figure out some of the namespacing as it isn't explicitly listed in the python package. Hopefully this helps someone else out. Thanks for the original solution @AlyIbrahim! |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Describe the bug
After using
aws_eks.Cluster.add_manifest
to apply kubernetes objects on my cluster the first time, subsequent attempts to update my application or any other manifest results in the following such error:I do not have any Ingress resources from the
extensions/v1beta1
group in my cluster but I do have one from thenetworking.k8s.io
group.The cluster has been created with the default
prune=True
since I left out specification of the fieldAs you can see, I am using the
Kubectl_V24
layer which supposedly has the correct version of kubectl to match the cluster version i'm working on which is 1.24.I have seen this issue on Fargate EKS 1.22, 1.23 and 1.24
Related Issues
#19843
#15736
#15072
Expected Behavior
I should be able to continuously update my application without it failing
Current Behavior
The update of any part of the application always fails with the aforementioned error
Reproduction Steps
Create a new EKS Fargate 1.22+ cluster
Use the
aws_eks.Cluster.add_manifest
method to apply a manifest e.g. a gitlab deploymentRun cdk deploy
Update the gitlab deployment for example by updating the image tag, adding an env variable, changing an env variable value etc.
Run cdk deploy
Error occurs
Possible Solution
N/A
Additional Information/Context
No response
CDK CLI Version
2.55.0
Framework Version
No response
Node.js Version
18.10.0
OS
Ubuntu 22.04
Language
Python
Language Version
3.9.14
Other information
No response
The text was updated successfully, but these errors were encountered: