EKS pods get node IP address instead of IP from Calico IP Pool

Hello, in order to take advantage of higher pod density along with network policies we removed AWS VPC CNI add-on (aws-node) and rely on Calico CNI add-on (calico-node) for pod network management. After removing aws-node daemonset and terminating EKS worker nodes, new nodes were created by ASG and all pods scheduled. My question, while most pods scheduled on the new nodes have been assigned IP address from Calico IP pool, as expected, a number of pods, mostly daemonset pods, have been assigned the same IP as the node IP.
Any help with this will be highly appreciated. JS

Sujets

Réseaux et diffusion de contenu Conteneurs

Balises

Amazon VPC Réseaux et diffusion de contenu Service Amazon Elastic Kubernetes

Langue

English

AWS-User-JS

demandé il y a 2 ans1379 vues

1 réponse

Le plus récent
Le plus de votes
La plupart des commentaires

Ces réponses sont-elles utiles ? Votez pour la bonne réponse pour aider la communauté à bénéficier de vos connaissances.

Réponse acceptée

Can you inspect and see if the pod spec has hostNetwork set to true?

Jason_S

répondu il y a 2 ans

AWS-User-JS
il y a 2 ans
Jason_S, thanks for that. hostNetwork spec is set to true in pods with node IP, indeed.
Obviously I'm new to AWS EKS and CNI in general. I guess hostNetwork is set to true on purpose, for example, calico-node pods require direct access to host network ?
Jason_S
il y a 2 ans
This is due to a limitation of EKS (Unable to deploy Calico to control plane nodes), you can refer here https://projectcalico.docs.tigera.io/getting-started/kubernetes/managed-public-cloud/eks. Generally speaking hostNetwork is a bad idea from a security point of view and only trusted pods should have it enabled (even that is not recommended).
Jason_S
il y a 2 ans
Additionally, not sure what pod density you are concerned about. For performance and reliability perspective we strongly discourage you from exceeding the limit such as in here https://github.com/awslabs/amazon-eks-ami/blob/master/files/eni-max-pods.txt. However if it's an ENI imposed limit (i.e. # of ENIs attached to the instance) you can refer to the following blogpost - https://aws.amazon.com/blogs/containers/amazon-vpc-cni-increases-pods-per-node-limits/
AWS-User-JS
il y a 2 ans
Jason_S, many thanks for excellent answer. That helps a lot. Much appreciated.

Contenus pertinents

LIghstail Instance in suspens
rePost-User-6587585
demandé il y a un an
[ACTION REQUIRED] Update your TLS connections to 1.2 : quelles applications sont concernées ?
rePost-User-7550145
demandé il y a un an
error 403 / cloud front
nico-HPF
demandé il y a 2 mois
Mon loadbalancer ne marche pas comme il devrait
zerros
demandé il y a un an
Pourquoi mes pods ne se connectent-ils pas à d'autres pods dans Amazon EKS ?
AWS OFFICIELA mis à jour il y a un an
Quelles sont les bonnes pratiques pour configurer le plug-in CNI Amazon VPC afin qu'il utilise une adresse IP dans les sous-réseaux VPC avec Amazon EKS ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment choisir des sous-réseaux IP spécifiques à utiliser pour les pods de mon cluster Amazon EKS ?
AWS OFFICIELA mis à jour il y a un an
Pourquoi mon pod Amazon EKS est-il bloqué à l'état ContainerCreating et affiche l'erreur « failed to create pod sandbox » (impossible de créer l'environnement de test (sandbox) du pod) ?
AWS OFFICIELA mis à jour il y a un an