Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EKS add on - VPC CNI stuck on "creating"

0

I'm trying to add the VPC CNI add-on to my EKS cluster, but I mistakenly forgot to assign the necessary IAM role. Now the creation process has been stuck for over an hour, and I can't find a way to stop or delete the operation.

Has anyone encountered this issue before, and what steps can I take to resolve it?

EKS version: 1.30 VPC CNI version: v1.18.3-eksbuild.1

EDIT Got an error: InsufficientNumberOfReplicas The add-on is unhealthy because it doesn't have the desired number of replicas.

Topics
Networking & Content DeliveryContainers
Tags
Amazon EKS AnywhereAmazon VPC
Language
English
asked a year ago3.5K views
2 Answers
1
Accepted Answer

The role I've created was not as a service account of the cluster, once I've tried that from the console it seem better, and now I've created it properly, I can see it from console, and I've used it.

answered a year ago
EXPERT
reviewed a year ago
0

1. Delete the Stuck Add-On First, try to delete the stuck add-on using the AWS CLI

aws eks delete-addon --cluster-name <your-cluster-name> --addon-name vpc-cni

If it doesn’t delete immediately, you might need to force the deletion. You can do this by using the --force flag:

aws eks delete-addon --cluster-name <your-cluster-name> --addon-name vpc-cni --force

2. Assign the Correct IAM Role

Ensure that the IAM role with the necessary permissions for the VPC CNI add-on is created and associated with the EKS cluster.

The IAM role should have the following managed policy attached: AmazonEKS_CNI_Policy.

Attach the IAM role to your EKS cluster

aws eks associate-identity-provider-config --cluster-name <your-cluster-name> --identity-provider-config <your-config>

Re-Add the VPC CNI Add-On Once the role is properly assigned, you can re-add the VPC CNI add-on to your cluster:

aws eks create-addon --cluster-name <your-cluster-name> --addon-name vpc-cni

Check the Status

Monitor the status of the add-on to ensure it is created successfully

aws eks describe-addon --cluster-name <your-cluster-name> --addon-name vpc-cni

Check the Add-On Pods

You can also check the status of the VPC CNI pods using kubectl:

kubectl get pods -n kube-system -l k8s-app=aws-node

If you still see issues, review the logs for any errors

kubectl logs <pod-name> -n kube-system
EXPERT
answered a year ago
  • zach
    a year ago

    As per https://docs.aws.amazon.com/cli/latest/reference/eks/associate-identity-provider-config.html , aws eks associate-identity-provider-config command does not take --identity-provider-config as an argument, instead taking --oidc as a required arg, which does have identityProviderConfigName as an additional arg.

    Additionally reading the docs for that command it's not clear to me if it works with AWS IAM roles + policies as is described in the answer, or with kubernetes specific permissions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content