Questions tagged with Amazon Elastic Kubernetes Service
Content language: English
Sort by most recent
I created a EKS cluster with a default VPC and mostly the default settings from the console.
Whenever I run a kubectl command, it doesn't connect with my EKS cluster giving me the error "You must be logged in to the server (the server has asked for the client to provide credentials)" . I have gone through this documentation https://aws.amazon.com/premiumsupport/knowledge-center/eks-api-server-unauthorized-error/, without finding any solution.
Can someone please help?
EKS - Restarting or Deleting a Pod for a K8s service kills service nodeport on worker group instance
I have a simple k8s NodePort Service linked to a k8s deployment of a single pod hosting a hello world go program that basically uses cobra to spin up a fasthttp server. If the pod of that deployment restarts or get deleted (and a new one spins up), the whole service goes down and never comes back up. The pod reports healthy, the service reports healthy, but the load balancer is reporting no response. If I ssh onto the EC2 Node and try to call the nodeport of the service, i also get no response. Basically the entire port just dies and stops responding on the instance. Restarting the node doesn't fix it, deleting the instance and bringing up a new one doesn't fix it. I basically need to move the entire service to an entirely new port for it to start working again.
This with the k8s version of 1.24
Does anyone have any ideas why this might be the case, i've never encountered this issue hosting a container built in any other way.
Hello Team,
IHAC who has EKS cluster pods connecting to Aurora Postgresql Global Database Primary cluster endpoint. During an outage in the primary region, customer wants to point the EKS pods to the DB endpoint in secondary region. customer is familiar with process of failover from the database end.
Are there any best practices for switching EKS cluster pods from Primary cluster endpoint to secondary cluster endpoint? Do we have a circuit breaker solution that can be implemented.
Customer must point to the DB cluster endpoints and RDS proxy cannot be leveraged due to SSL Cert Requirement.
Best practices for EKS database Connection handling during failover.
Thanks,
Karthik
asked a month ago
Hello aws re:Post
I want to run my pods (network wise) in a different subnet and for that I make use of the custom CNI config for the AWS-CNI plugin which already works like a charm.
Now I want to automate the whole process.
I already archived to create the CRD eniconfigs and deploy them automatically. But now I stuck at the automation of the node annotation. As I could not find any useful content while searching re:Post or the internet, I assume the solution is rather simple.
I assume that the solution is somewhere here in the Launch Template, User Data or via `KUBELET_EXTRA_ARGS` but I'm just guessing.
**The Question**
How can I provide annotations like mine (below) to the nodes on launch or after they joined the cluster automatically?
```
kubectl annotate node ip-111-222-111-222.eu-central-1.compute.internal k8s.amazonaws.com/eniConfig=eu-central-1c
```
I have a EBS volume and EKS cluster. I want to attach the volume to a cluster's node programatically but I don't have information on disk's fsType and partition number. Is there any way to fetch the info or any plugin I can use which can mount all the partitions in the volume.
Here is the storage class and persistent Volume with aws csi driver. I have to know the fsType and partition number to mount correctly.
```apiVersion: v1
kind: PersistentVolume
metadata:
name: name-pv
spec:
storageClassName: "gp2"
accessModes:
- ReadWriteOnce
capacity:
storage: "100Gi"
volumeMode: Filesystem
csi:
driver: ebs.csi.aws.com
fsType: <NotKnown>
volumeHandle: "vol-XXXX"
volumeAttributes:
partition: "<NotKnown>"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
name: gp2
parameters:
fsType: <NotKnown>
type: gp2
provisioner: kubernetes.io/aws-ebs
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
```
We created two route53 zones recently and created corresponding NS records at provider where we bought that domains. For some reason domains are not resolving from different places. For example: from my personal laptop it started resolving only after flushing cache on https://1.1.1.1/purge-cache/ page (I’m using 1.1.1.1 as my DNS server), in our Kubernetes cluster domains are not resolving correctly event after recreating coreDNS pods, the same problem exists on few more laptops/PCs, they still resolving records from our route53 zones to IP address that are assigned to root domain.
I’m supposing that some DNS authorities still caching old NS records for these zones but they were created 4 days ago, so all that records should be refreshed
I want to enable secret encryption in EKS. Base on this page : [Enabling secret encryption on an existing cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html), permission `kms:DescribeKey` and `kms:CreateGrant` are required.
My question is which one is the preferable way to assign these permission? Is it assign the permission manually or giving key usage permission to the eks-role ?
Hi,
Is it possible to define a NLB as an HTTPS endpoint, terminating SSL and forwarding traffic to an EKS cluster? (Assuming I don't need URL routing)
I'm trying to figure out which option would be cheaper, ALB or NLB, assuming both are possible.
Thank you!
My company uses ECS and EKS on Fargate to take advantage of automatic vulnerability scanning and patching by AWS. To satisfy our own customer compliance requirements we need to show evidence that Fargate is scanning and patching vulnerabilities. Is it possible to find/see a log of Fargate vulnerability management actions/events? We've been searching documentation but haven't discovered anything. Thank you.
Issue summary : EKS 1.21 cluster newly launched nodes not becoming Ready and the existing ones not scheduling pods
Since yesterday evening - 5-6 CET+1 we are unable to schedule pods and new nodes never join the cluster as they are unable to schedule and run pods for aws-node,Core-dns ..etc.
Attempts to fix :
1-Scaling node group
2-Adding new node group
Nodes not becoming ready , since we have no changes except our normal applications deployments using flux on the cluster we didn't change any security or configuration of the cluster or nodes.
Logs:
====
will post a snippet of the control plane logs
```
E0216 13:35:13.581039 10 scheduler.go:344] "Error updating pod" err="the server was unable to return a response in the time allotted, but may still be processing the request (patch pods test-pod-prasad)" pod="cluster-services/test-pod-prasad"
E0216 13:36:13.583815 10 framework.go:898] "Failed running Bind plugin" err="the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod)" plugin="DefaultBinder" pod="cluster-services/test-pod"
I0216 13:36:13.583860 10 scheduler.go:435] "Failed to bind pod" pod="cluster-services/test-pod"
E0216 13:36:13.583913 10 factory.go:355] "Error scheduling pod; retrying" err="binding rejected: running Bind plugin \"DefaultBinder\": the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod)" pod="cluster-services/test-pod"
E0216 13:36:43.597058 10 framework.go:898] "Failed running Bind plugin" err="the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod-prasad)" plugin="DefaultBinder" pod="cluster-services/test-pod-prasad"
I0216 13:36:43.597095 10 scheduler.go:435] "Failed to bind pod" pod="cluster-services/test-pod-prasad"
E0216 13:36:43.597134 10 factory.go:355] "Error scheduling pod; retrying" err="binding rejected: running Bind plugin \"DefaultBinder\": the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod-prasad)" pod="cluster-services/test-pod-prasad"
E0216 13:37:13.585621 10 scheduler.go:344] "Error updating pod" err="the server was unable to return a response in the time allotted, but may still be processing the request (patch pods test-pod)" pod="cluster-services/test-pod"
E0216 13:37:24.473084 10 framework.go:898] "Failed running Bind plugin" err="the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod)" plugin="DefaultBinder" pod="cluster-services/test-pod"
I0216 13:37:24.473144 10 scheduler.go:435] "Failed to bind pod" pod="cluster-services/test-pod"
E0216 13:37:24.473189 10 factory.go:355] "Error scheduling pod; retrying" err="binding rejected: running Bind plugin \"DefaultBinder\": the server was unable to return a response in the time allotted, but may still be processing the request (post pods test-pod)" pod="cluster-services/test-pod"
E0216 13:37:43.605065 10 scheduler.go:344] "Error updating pod" err="the server was unable to return a response in the time allotted, but may still be processing the request
```
I have cluster in EKS with NLB (internet-facing) and then ingress-nginx. During Qualys PCI scan i got CVE-2004-0230 alert on 80 and 443 port (Tested on port 80/443 with an injected SYN/RST offset by 16 bytes.) How i can fix it? I cant found where this problem can persist, on load balancer or on ingress side. Maybe anyone can help?
Thanks in advance!
Need Some help!
I want to integrate AWS secrets manager in EKS.
One way I tried is Secrets Store CSI Driver (SSCSID). It mounts the secrets directly into Pod.
If I want to set an environment variable using secret then we need to enable the secretSync option of SSCSID, because of which the SSCSID creates a kubernetes secret for our secret data.
This is similar to using the k8s secrets which is base64 encoded.
What I want to have is, the k8s secret should not contain the actual data, it should contain the place-holder, and then the driver/k8s should replace the place-holder with data from aws secrets manager at time of mounting/using the secret inside the pod.
Can anyone please suggest the right way or tool for it?
Thanks