Technical service bulletins
Learn about the technical service bulletins (TSBs) with the Cloudera Data Engineering (CDE) service on public clouds, the impact or changes to the functionality, and the workaround.
- Technical Service Bulletin (2022-588)
- Title: Kubeconfig and new version of aws-iam-authenticator
Regenerate Kubeconfig and in conjunction use a newer version of aws-iam-authenticator on AWS. Kubeconfig in Cloudera Data Platform (CDP) Public Cloud Data Services needs to be regenerated because the Kubeconfig generated before June 15, 2022 uses an old APIVersion (client.authentication.k8s.io/v1alpha1) which is no longer supported. This causes compatibility issues with aws-iam-authenticator starting from v0.5.7. To be able to use the new aws-iam-authenticator, the Kubeconfig needs to be regenerated.
Severity- High
- Cloudera Machine Learning (CML) Data Service
- Cloudera Data Engineering (CDE) Data Service
- Cloudera Data Flow (CDF) Data Service
- CDP Public Cloud
- All existing and upcoming CDP Public Cloud releases using the affected components, listed above.
- Users of CML, CDE, and CDF using Kubeconfig generated before June 15, 2022 and a version of aws-iam-authenticator prior to v0.5.7.
- Customers using a Kubeconfig generated before June 15, 2022 and an aws-iam-authenticator version prior to v0.5.7 may see Kubernetes clients not able to access the cluster successfully.
From June 15, 2022 onwards, existing customers on AWS using a previously generated Kubeconfig will have to:
- Regenerate and use the new Kubeconfig, and
- Use a new version of aws-iam-authenticator starting with v0.5.7.
The newly generated Kubeconfig changes the APIVerson of the user’s section as:
Old:ApiVersion: "client.authentication.k8s.io/v1alpha1"
New:ApiVersion: "client.authentication.k8s.io/v1beta1"
For the latest update on this issue see the corresponding Knowledge Base article: TSB 2022-588: Kubeconfig and new version of aws-iam-authenticator
- Technical Service Bulletin (2022-587)
- Issue: CDE 1.14, 1.15, and 1.16 using Kubernetes 1.21 will fail service account token
renewal after 90 days
Cloudera Data Engineering (CDE) on Amazon Web Services (AWS) running version CDE 1.14 and above using Kubernetes 1.21 will observe failed jobs after 90 days of service uptime [1].
[1] “For Amazon Elastic Kubernetes Service (EKS) clusters, the extended expiry period is 90 days. Your Amazon EKS cluster's Kubernetes API server rejects requests with tokens older than 90 days.”
Symptoms-
CDE Jobs (Spark or Airflow) fail with "Service Account May Have Been Revoked. Unauthorized"
-
CDE 1.14, 1.15, 1.16 (specifically Calico and Livy)
-
Cloudera Data Engineering (CDE) in Cloudera Data Platform (CDP) Public Cloud on AWS
-
CDE Public Cloud releases 1.14, 1.15, 1.16
-
Users that have CDE enabled for at least 90 days
-
Users on Amazon Elastic Container Service for Kubernetes (EKS) with Kubernetes 1.21
-
All CDE jobs will fail (new and existing ones including scheduled).
-
Diagnostic bundles will also fail to download.
-