Hi!
Can't understand why kubectl proxy knows where why aws cluster is after terraform apply. Do you know it?

So I started using this module yesterday, and it worked fine.

Today, the kubeconfig files weren't being generated, and seeing this error within the init-aws-minikube.log file:

Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0x307EA071:
 Userid     : "Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)"
 Fingerprint: 7f92 e05b 3109 3bef 5a3c 2d38 feea 9169 307e a071
 From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes
Trying other mirror.


 One of the configured repositories failed (Kubernetes),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=kubernetes ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable kubernetes
        or
            subscription-manager repos --disable=kubernetes

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=kubernetes.skip_if_unavailable=true

failure: repodata/repomd.xml from kubernetes: [Errno 256] No more mirrors to try.
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for kubernetes

Anyone started seeing this issue? Is this a temporary issue? Any ideas on a fix?

After installing when trying to ssh in or do

copy_config_dns = To copy the kubectl config file using DNS record, run: 'scp [email protected]:/home/centos/kubeconfig .'

Can't get in with error
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Hello,

When i run the terraform init in aws-minikube folder as you provided guided steps, im getting following error. Am i missing minor something ? How can i fix this issue ?

_Test2 Folder has all the files by the way.

C:\Users\andromeda\26042020_Test2>terraform init

Initializing modules...

• minikube in

Error: Unreadable module directory

Unable to evaluate directory symlink: CreateFile ..\terraform-aws-minikube:
The system cannot find the file specified.

Error: Failed to read module directory

Module directory does not exist or cannot be read.

Error: Unreadable module directory

Unable to evaluate directory symlink: CreateFile ..\terraform-aws-minikube:
The system cannot find the file specified.

Error: Failed to read module directory

Module directory does not exist or cannot be read.

So to my knowledge I'm going to need the private key that was created during terraform apply so I can ssh into the ec2 instance, but I can't find the private key anywhere on my file system. Is there a default directory or file where that private key is placed?

Hello,

I did a clear installation, and I had few issues

1. documentation - there is written that it is enough just to run "kubectl proxy", this is not really true, you have to export different port than 8080 first:

export KUBERNETES_MASTER=https://your.domain:6443

2. documentation - it is not mentioned that if you are using SSL which is enabled by default, you have to use also CA validation, so

kubectl --certificate-authority=/etc/kubernetes/pki/ca.crt

3. RBAC - In documantation is stated

This is intentional for security reasons (no authentication / authorization)

This is not exactly true with new version of Kubernetes, which is included in actual package. You have to use RBAC authentification according to Kubernetes documentation. I am still fighting how to get rid of this message

"message": "services "https:kubernetes-dashboard:" is forbidden: User "system:anonymous" cannot get services/proxy in the namespace "kube-system"",

After running
kubectl --certificate-authority=/etc/kubernetes/pki/ca.crt proxy

and tunneling it through SSH to my localhost

and accessing

http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

Can you please help. I cannot even get pods even when I use

kubeadm token list

and use selected tokens because tokens has low privileges

[root@ip-10-0-0-18 kubernetes]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
******* 23h 2018-09-30T14:34:31Z authentication,signing system:bootstrappers:kubeadm:default-node-token

******** authentication,signing system:bootstrappers:kubeadm:default-node-token

I need a token with system.master privileges but I have no idea how to get it.

Where I work, we use Netflix BLESS, and we would like to specify a custom AMI running on the EC2 instance, so we can configured the EC2 instance to trust our self-signed CA.

BLESS uses SSH certificates, added to OpenSSH in 5.4. SSH certificates allow a certificate authority to sign a user’s public key, along with a list of constraints; the user presents this certificate to the server during authentication. The server only needs to trust the CA, and does not need previous knowledge of the user’s public key.

Do you have an interest in an optional parameter for specifying a custom AMI?

kubectl get nodes return no nodes
also we cant create deployments
we get
Type Reason Age From Message

Warning FailedScheduling 3m (x176 over 53m) default-scheduler no nodes available to schedule pods

Hello, so everything is working fine, If I login into my EC2 instance and type kubectl cluster-info --kubeconfig=kubeconfig it work.

Now I'm wondering if I could have access to my cluster from my computer, do you know how I could configure kubectl to use the remote cluster ? I tried a lot of thing but couldn't get it work.

Thanks!

Terraform runs successfully, ending with:

Apply complete! Resources: 12 added, 0 changed, 0 destroyed.

Outputs:

copy_config = To copy the kubectl config file, run: 'scp centos@aws-minikube-
1.kube.public:/home/centos/kubeconfig .'
kubeadm_token = w8q6uz.w8q6uzdbev9lcskr

minikube_dns = aws-minikube-1.kube.public```

As I don't have DNS configured (using private hosted zone), I try to connect to the instance through the IP address I see in the AWS console. The result :

ssh  [email protected]
ssh: connect to host 35.158.12.108 port 22: Operation timed out

As per the title, I'm a bit confused.

Is this Terraform configuration installing a regular Kubernetes installation configured to have a single node? Or is it actually installing the 'real' minikube (https://github.com/kubernetes/minikube/releases/tag/v1.5.2)?

I'm a bit of a noob when it comes to the difference between the two so please tell me if I'm misunderstanding.

• Kind regards

Hello,

Firstly, thanks for releasing this. It makes deploying a minikube instance pretty damn easy.

I'm just having an issue with DNS services provided to my pods. The issue is primarily that there isn't any. While I can connect to sites via a bare IP address, I can't connect via DNS.

Each pod is configured to use the kube-dns pod for dns which is then configured to the a DNS server in my VPC, there are other EC2 instances using this DNS service just fine. I've checked the security group (which aws-minikube created anyway) and can't find any restrictions on outgoing traffic. Everything seems fine.

Do you have any idea what might be causing this?

Thanks,

Anthony

I was receiving the following error within the kubernetes service when it was attempting to deploy an ELB from a kubernetes_ingress_v1 resource.

Warning SyncLoadBalancerFailed 2m49s service-controller Error syncing load balancer: failed to ensure load balancer: AccessDenied: User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/my-minikube/i-0a921073fe8c4d39f is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::XXXXXXXXXXXXX:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing because no identity-based policy allows the iam:CreateServiceLinkedRole action

Manually creating the following policy and attaching it to the role created by aws-minikube resolved the issue:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        }
    ]
}