-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(eks): creating a
ServiceAccount
in a different stack than the `…
…Cluster` creates circular dependency between the two stacks (#9701) This PR changes a few scenarios with regards to circular dependencies in cases where some resources are created in a different stack than the cluster stack. > Reviewers, Please refer to this detail as a first response to PR questions :) ### ServiceAccount Previously, the `ServiceAccount` construct used `cluster.addManifest` to deploy the necessary resource. https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/service-account.ts#L81-L95 This means that the resource itself is added to the **cluster stack**. When the `ServiceAccount` is created in a different stack, it creates a dependency between the cluster stack and the service account stack. Since `ServiceAccount` also depends on the cluster, it creates a dependency between the service account stack and the cluster stack. And hence a circular dependency is formed. #### Solution There is no inherent reason to always add the `ServiceAccount` resource to the cluster stack. If it was added to the service account stack, the circular dependency could be avoided. The solution is to use `new KubernetesManifest(this, ...)` instead of `cluster.addResource` - creating the manifest in the service account stack, which is perfectly fine since that direction of dependency is the intended one. ### AutoScalingGroup Capacity When adding capacity to a cluster using an `AutoScalingGroup`, we add the role of the ASG to the `aws-auth` role mappings of the cluster: https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L914-L923 The ASG depends on the cluster because, among others, it requires to have a tag with the cluster name: https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L907-L909 This creates a dependency between the ASG stack and the cluster stack. In case the ASG role is defined in the ASG stack, the auth mapping now creates a dependency between the cluster stack and the ASG, forming a circular dependency between the stacks. #### Solution `AwsAuth` is a singleton of the cluster, which means it is always defined in the cluster stack. Since we have no control over the stack of the ASG and its role, a circular dependency may always be created. The solution is to simply disallow creating `userMappings` or `roleMappings` with a `User/Role` that is not part of the cluster stack. This might be a little more restrictive than necessary, but it has less exposure potential to edge cases and complex dependency cycles. We can always be less restrictive down the road if needed. -------------- Fixes #8884 Fixes #9325 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Showing
7 changed files
with
369 additions
and
119 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.