Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EKS Pod Identity for Karpenter running on host network

0

Hi, I'm deploying Karpenter to manage EKS worker nodes.

The cluster is configured with Cilium CNI, which Karpenter deems a custom CNI, and it is required to run the controller on the node network (hostNetwork: true) for readiness / liveness probes to function correctly.

However, when running the Karpenter controller on the node network it is denied credentials from the pod identity agent with the following message:

Controller:

{"level":"ERROR","time":"2026-03-17T08:28:04.089Z","logger":"controller","message":"ec2 api connectivity check failed","commit":"e7e1327","error":"operation error EC2: DescribeInstanceTypes, get identity: get credentials: failed to refresh cached credentials, failed to load credentials, : [0af280a5-9e4d-4717-8e70-9f8016a4ca29]: (AccessDeniedException): Unauthorized Exception! EKS does not have permissions to assume the associated role., fault: client\n"}

Pod identity agent:

{"client-addr":"169.254.170.23:56670","cluster-name":"redacted","level":"error","msg":"Error fetching credentials: error getting credentials to cache: unable to fetch credentials from EKS Auth: operation error EKS Auth: AssumeRoleForPodIdentity, https response error StatusCode: 400, RequestID: fd67d0ad-5f5f-4a05-b34a-7b6ccf6904dc, AccessDeniedException: Unauthorized Exception! EKS does not have permissions to assume the associated role.","operation":"AssumeRoleForPodIdentity","request-id":"fd67d0ad-5f5f-4a05-b34a-7b6ccf6904dc","service":"EKS Auth","time":"2026-03-16T15:33:15Z"}

Note that the role / service account association is correct, and the controller assumes the role without issue when not running on the node network.

Topics
Containers
Tags
Amazon Elastic Kubernetes Service
Language
English
asked 2 months ago123 views
1 Answer
2

Why it works without hostNetwork but fails with it ... ->

The reason it works when hostNetwork: false is that the Pod is likely falling back to IRSA (OIDC). In a standard setup, the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables are injected. When the Pod is in the overlay network, it uses the OIDC provider to assume the role.

However, when you switch to hostNetwork: true, the networking path to the metadata service changes. EKS Pod Identity (the newer method) uses a local agent on the node (169.254.170.23).

EKS Auth vs. OIDC

The error message AccessDeniedException: EKS does NOT have permissions to assume the associated role specifically comes from the EKS Auth Service, not the OIDC provider.

So, even if your "Role / Service Account Association" is correct for IRSA, it is likely missing the specific requirement for EKS Pod Identity:

  • The Trust Policy Problem: IRSA requires oidc.eks... in the Trust Policy. EKS Pod Identity strictly requires pods.eks.amazonaws.com. If you only have the OIDC provider in your Trust Policy, the EKS Auth Service is denied permission to "hand out" that role to a pod on the host network.
  • The Session Tagging: Unlike IRSA, EKS Pod Identity requires the sts:TagSession permission in the Trust Policy. Without it, the EKS Auth API call will fail even if the Service Principal is correct.

In short: Your setup works without hostNetwork because it's using the OIDC (IRSA) flow. When you enable hostNetwork, the traffic shifts towards the EKS Pod Identity Agent. This agent uses the EKS Auth Service, which does not have permission to assume your role unless you explicitly add pods.eks.amazonaws.com to your IAM Role's Trust Relationship.

see:

PS: could you try to run this command to check if your IAM Role actually trusts the EKS Pod Identity service:

aws iam get-role --role-name <YOUR_KARPENTER_ROLE_NAME> --query 'Role.AssumeRolePolicyDocument'

If you only see oidc.eks.<region>.amazonaws.com in the output, it will never work with Pod Identity on the host network. You must add the new service principal.

EKS Pod Identity requires sts:TagSession in addition to sts:AssumeRole. IRSA often works without explicit tagging permissions, but Pod Identity does not.

As far as I'm right, your Trust Relationship must include this block to allow the EKS Auth service to "speak" to your role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

see also:

EXPERT
answered 2 months ago
  • Daniel Milanov
    2 months ago

    Hi, thanks for responding. The role trust policy does have pods.eks.amazonaws.com principal, and sts:TagSessionaction.

  • Florian Turnwald EXPERT
    2 months ago

    okay, thanks for clarifying. Since your Trust Policy is already correctly configured with pods.eks.amazonaws.com and sts:TagSession as you state, you should look at the EKS Pod Identity Association and the network path specifically for hostNetwork pods.

    Did you already ensured that your Cilium configuration and no AWS Security Groups for Pods are not blocking outbound traffic from the host to the EKS Auth Agent IP (169.254.170.23) and did you also may already ensured the eks-pod-identity-agent addon is running and healthy on the specific nodes where Karpenter is scheduled?

  • Daniel Milanov
    2 months ago

    Yes, the agent on the specific node is healthy, and serving requests. Requests from karpenter controller are not blocked. The log from auth agent on the node is included above.

  • Florian Turnwald EXPERT
    2 months ago

    Thanks for the update! As I mentioned, it seems like a network or identity-related issue. Once you've figured it out, would you mind sharing the solution? At lease me, and anyone else facing a similar issue would love to benefit from your insights!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content