Channels
announcements
ask-the-community
auth
conference-talks
contribute
databricks-integration
datahub-flyte
deployment
ecosystem-unionml
engineeringlabs
events
feature-discussions
flyte-bazel
flyte-build
flyte-console
flyte-deployment
flyte-documentation
flyte-github
flyte-on-gcp
flyte-ui-ux
flytekit
flytekit-java
flytelab
great-content
hacktoberfest-2022
helsing-flyte
in-flyte-conversations
integrations
introductions
jobs
konan-integration
linkedin-flyte
random
ray-integration
ray-on-flyte
release
scipy-2022-sprint
show-and-tell
sig-large-models
torch-elastic
workflow-building-ui-proj
writing-w-sfloris
Title
r
Radhakrishna Sanka
04/13/2023, 4:40 PMI was looking at the instructions for getting a cluster running on AWS and I noticed that the 1.0 documentation was a lot better than the latest (explicitly describes all the dependencies). Any idea on whats the best guide for this ?
d
David Espejo (he/him)
04/13/2023, 5:56 PMhi @Radhakrishna Sanka
Here's a community-maintained resource to get you started on AWS
https://github.com/davidmirror-ops/flyte-the-hard-way
r
Radhakrishna Sanka
04/13/2023, 10:31 PMThanks a lot for this. I was looking for a resource like this. krishna
@David Espejo (he/him) thanks a lot for the guide. It seems like I’m having some issues creating nodegroups, it creates the instances but gives me the following error:
Your current user or role does not have access to Kubernetes objects on this EKS nodegroupScreen Shot 2023-04-15 at 7.05.33 PM.png
d
David Espejo (he/him)
04/16/2023, 6:48 PMseems like there are two errors in here:
1. the role issue has more to do with the IAM role you're using in the Management console to configure the cluster. It probably doesn't have permissions to query the API server. Take a look at: https://repost.aws/knowledge-center/eks-kubernetes-object-access-error
2.
The instances failed yo join the kubernetes clusterr
Radhakrishna Sanka
04/16/2023, 10:50 PMYeah it seems like something was off with the VPC (either the lack of endpoints or something else). I did finally manage to create the EKS. One thing I’m trying to confirm is the full outline for the IAM role
flyte-systemd
David Espejo (he/him)
04/17/2023, 5:33 PMI'm rebuilding my environment today, once I get to the role will post the JSON here.
{
"Role": {
"Path": "/",
"RoleName": "flyte-system-role",
"RoleId": "AROAYS5I3UDGD6RDWHN5M",
"Arn": "arn:aws:iam::590375264460:role/flyte-system-role",
"CreateDate": "2023-04-17T21:14:53+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::590375264460:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/1EE94FBE2DE77558404404CF5947470C"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://oidc.eks.us-east-1.amazonaws.com/id/1EE94FBE2DE77558404404CF5947470C:aud|oidc.eks.us-east-1.amazonaws.com/id/1EE94FBE2DE77558404404CF5947470C:aud>": "<http://sts.amazonaws.com|sts.amazonaws.com>",
"<http://oidc.eks.us-east-1.amazonaws.com/id/1EE94FBE2DE77558404404CF5947470C:sub|oidc.eks.us-east-1.amazonaws.com/id/1EE94FBE2DE77558404404CF5947470C:sub>": "system:serviceaccount:flyte:flyte-backend-binary"
}
}
}
]
},
"Description": "",
"MaxSessionDuration": 3600,
"Tags": [
{
"Key": "<http://alpha.eksctl.io/cluster-name|alpha.eksctl.io/cluster-name>",
"Value": "fthw-eks-cluster"
},
{
"Key": "<http://eksctl.cluster.k8s.io/v1alpha1/cluster-name|eksctl.cluster.k8s.io/v1alpha1/cluster-name>",
"Value": "fthw-eks-cluster"
},
{
"Key": "<http://alpha.eksctl.io/iamserviceaccount-name|alpha.eksctl.io/iamserviceaccount-name>",
"Value": "flyte/flyte-backend-binary"
},
{
"Key": "<http://alpha.eksctl.io/eksctl-version|alpha.eksctl.io/eksctl-version>",
"Value": "0.132.0-dev+15bffbb0d.2023-03-01T18:34:36Z"
}
],
"RoleLastUsed": {}
}bear in mind that it was created with
eksctlr
Radhakrishna Sanka
04/17/2023, 9:23 PMThanks !
I’m doing a Infrastructure-as-Code implementation of this so I’m trying to get as much details down as possible.
d
David Espejo (he/him)
04/17/2023, 9:27 PMoh please!
you using Terraform or similar?
r
Radhakrishna Sanka
04/17/2023, 9:27 PMpulumi, since a lot of code is in golang
I need to clean up some things but I’ll put it up on github for you to access. I wouldn’t mind having another set of eyes on this
d
David Espejo (he/him)
04/17/2023, 9:29 PMawesome!
Thanks so much
r
Radhakrishna Sanka
04/17/2023, 9:29 PMNo thank you for helping so much, I’m still stuck trying to figure out the flye-admin role stuff but I think I might get it to work soon
d
David Espejo (he/him)
04/17/2023, 9:39 PMif it's of any help, take a look at this architecture diagram which I plan to contribute to docs
It's been checked with maintainers and code 🙂
https://drive.google.com/file/d/1U4UnjzEV4LzqI_e2SOLJb8wzuzt4DxUE/view?usp=sharing
r
Radhakrishna Sanka
04/17/2023, 10:32 PM@David Espejo (he/him) - Heres the repo (https://github.com/rkrishnasanka/flyte-pulumi.git). The thing is still under development, I’m still figuring out:
1. how to pull the security group associated with the EKS cluster for the RDS
2. Role for the EKS IAM, ODIC provider and a bunch of other stuff that you used the kubernates cmdline tools for.
Basically 3, 4, 5
Any inputs you might have would be useful
@David Espejo (he/him) one question I have is which security group you’re pulling for the EKS cluster?
d
David Espejo (he/him)
04/18/2023, 3:21 PMFor the tutorial I'm just using the default one. Of course EKS will create and manage two other SGs for intra-node and node-to-control-plane communication
r
Radhakrishna Sanka
04/18/2023, 3:22 PMSo which one would work for the RDS ?
I would image the node-to-control panel SG ?
d
David Espejo (he/him)
04/18/2023, 3:27 PMin this case, it would be also the
defaultr
Radhakrishna Sanka
04/18/2023, 3:29 PMWill the control plane be the only one talking to the RDS ?
d
David Espejo (he/him)
04/18/2023, 3:31 PMwith
control planer
Radhakrishna Sanka
04/18/2023, 3:36 PMGotcha, I think I have some of the kubernates fundamentals wrong I think. Okay I’m testing out the RDS connection with the default Security group now. One more clarification: Would this RDS connect test you wrote work if I don’t create the
flyte-system-roled
David Espejo (he/him)
04/18/2023, 3:38 PMright , the RDS connection test doesn't require the IAM Role. It's needed when you have to write data to S3 (eg running a workflow)
r
Radhakrishna Sanka
04/25/2023, 4:52 PM@David Espejo (he/him) Hows it going ? So I was travelling most of last week and got to work on this again today:
I created an instance of the RDS (not aurora at the moment to conserve the resources). But it seems like the pods are unable to resolve the endpoint:
sql: could not translate host name "<http://flyte-db5b39eef.cfk9fd2rmdtl.us-east-1.rds.amazonaws.com|flyte-db5b39eef.cfk9fd2rmdtl.us-east-1.rds.amazonaws.com>" to address: Temporary failure in name resolution
pod "pgsql-postgresql-client" deleted
pod testdb/pgsql-postgresql-client terminated (Error)Any idea to test if any namespace resolution is working on the eks nodes ?
d
David Espejo (he/him)
04/25/2023, 5:10 PMHey @Radhakrishna Sanka thanks for sharing and I'm glad you're keeping up the great work!
It could be something on the coredns instance (assuming you're using coredns)
You can follow the instructions here to troubleshoot DNS resolution:
https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/
r
Radhakrishna Sanka
04/25/2023, 5:12 PMOh thanks for this. Yeah, kubernates + network has been the most tedious part of trying to set this up tbh. Between VPC configuration issues, subnet unavailability, I think most of the issues have been around this.
d
David Espejo (he/him)
04/25/2023, 5:14 PMI hear you, it can be troublesome
r
Radhakrishna Sanka
04/25/2023, 6:37 PM@David Espejo (he/him) so I ran:
kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGE
aws-node-26snb 1/1 Running 0 134m
aws-node-b5vsr 1/1 Running 0 133m
aws-node-dx522 1/1 Running 0 133m
aws-node-ssgss 1/1 Running 0 133m
aws-node-xwp5n 1/1 Running 0 134m
coredns-7975d6fb9b-cnwqf 0/1 Pending 0 138m
coredns-7975d6fb9b-xw8qw 0/1 Pending 0 138m
kube-proxy-5v9cw 1/1 Running 0 134m
kube-proxy-9r8fv 1/1 Running 0 134m
kube-proxy-9z4c5 1/1 Running 0 133m
kube-proxy-cbfff 1/1 Running 0 133m
kube-proxy-gxhcj 1/1 Running 0 133md
David Espejo (he/him)
04/25/2023, 6:45 PMcan you
kubectl describe core-dns-... -n kube-systemEventsr
Radhakrishna Sanka
04/25/2023, 7:34 PModd the command isn’t working.
its giving the following error
error: the server doesn't have a resource type "coredns-7975d6fb9b-cnwqf"Apologies, I’m new to kubernates
d
David Espejo (he/him)
04/25/2023, 8:09 PMsorry:
kubectl describe pod core-dns... -n kube-systemr
Radhakrishna Sanka
04/25/2023, 9:01 PM@David Espejo (he/him) figured it out, my instances were too tiny so it didn’t get enough threads to launch coreDNS
Now I just have the RDS acting up and not responding
Not sure if its a VPC thing or something else
d
David Espejo (he/him)
04/25/2023, 10:07 PMcan you share the result of running the db test container?
the DB should be in the same VPC and Security Group your EKS cluster is at the moment
r
Radhakrishna Sanka
04/25/2023, 10:09 PMAh shit, I just tore it down. I’m guessing its using the default security group for the VPC. Its in the same VPC though. I’ll launch it and send over the result.
d
David Espejo (he/him)
05/04/2023, 5:14 PMhi @Radhakrishna Sanka have you been able to make progress on this?