[Bug] Degraded managedNodeGroups when using a pathed instanceRoleARN #7846
Description
What were you trying to accomplish?
We launch EKS clusters using instanceRoleARN to attach managed policies (AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to our node group instances.
We provided a path on these roles of "/eks/" for organizational purposes. We'd like to be able to manage these node groups, but the pathing seems to cause a degradation in node group health.
What happened?
The cluster creates as expected but after about an hour or so the node group shows up as degraded
It's a little tough to tell with the redactions, but the ARN shown in the "Affected resources" column lacks the /eks/ path prefix.
Removing the path parameter from the role seems to avoid the issue.
How to reproduce it?
We use a eksctl config template like this:
managedNodeGroups:
- name: stable-{{ .CLUSTER_NAME_WITH_HYPHENS }}
instanceType: r5.8xlarge
desiredCapacity: 2
minSize: 2
maxSize: 2
privateNetworking: true
volumeSize: 40
volumeType: gp3
volumeEncrypted: true
labels:
stable: "true"
tags:
<<: *tags
iam:
instanceRoleARN: {{ .STABLE_NODES_ROLE_ARN }}
Where the instance role ARN is "arn:aws:iam::ACCOUNT:role/eks/ROLE_NAME"
Logs
Output from eksctl during creation is normal.
Anything else we need to know?
What OS are you using? macos
Are you using a downloaded binary or did you compile eksctl? downloaded via asdf
What type of AWS credentials are you using (i.e. default/named profile, MFA)? SSO
Versions
❯ eksctl info
eksctl version: 0.183.0
kubectl version: v1.30.2
OS: darwin