What happened:
All the pods using the PodSecurityGroups are running just fine apart from the Datadog agent one which is provisioned as a DS with HELM chart: https://artifacthub.io/packages/helm/datadog/datadog/2.4.5.
The errors below show that there is a kind of duplicate entry:
Normal Scheduled <invalid> default-scheduler Successfully assigned kube-system/datadog-agent-ww8l9 to ip-100-126-88-126.eu-west-1.compute.internal
Normal SecurityGroupRequested <invalid> (x6 over <invalid>) vpc-resource-controller Pod will get the following Security Groups [sg-0352e4ad4a4386e08]
Warning BranchAllocationFailed <invalid> (x5 over <invalid>) vpc-resource-controller failed to allocate branch ENI to pod: cannot create new eni entry already exist, older entry : [0xc00027d9d0]
Below is the status of the Pod:
Containers:
agent:
Container ID:
Image: datadog/agent:7.21.1
Image ID:
Port: 8125/UDP
Host Port: 0/UDP
Command:
agent
run
State: Waiting
Reason: PodInitializing
Ready: False
Restart Count: 0
Limits:
vpc.amazonaws.com/pod-eni: 1
Requests:
vpc.amazonaws.com/pod-eni: 1
Liveness: http-get http://:5555/live delay=15s timeout=5s period=15s #success=1 #failure=6
Readiness: http-get http://:5555/ready delay=15s timeout=5s period=15s #success=1 #failure=6
Environment:
DD_API_KEY: yyyyy Optional: false
DD_KUBERNETES_KUBELET_HOST: (v1:status.hostIP)
Environment:
kubectl version): v1.17.9-eks-a84824cat /etc/os-release): AL2_x86_64Thank you,
Hi @atimush
Can you please email me ([email protected]) with cluster ARN?
Also can you please confirm if you are using PSP? Can you also share the o/p of the below CLI and describe of the PSP?
kubectl get psp -n kube-system
Thank you!
Hi @jayanthvn,
I've just sent the details in the mail box.
Thank you
Hi @jayanthvn,
Thx a lot. As per our discussion the problem was that ClusterRoleBinding for the Group eks:podsecuritypolicy:privileged was missing the subjects:
`subjects:
Thus, the controller was not able to annotate the pod object.
Opened an issue in the VPC Resource Controller Repository as well for better visibility in case other user run into this issue - https://github.com/aws/amazon-vpc-resource-controller-k8s/issues/8
Most helpful comment
Hi @jayanthvn,
Thx a lot. As per our discussion the problem was that ClusterRoleBinding for the Group eks:podsecuritypolicy:privileged was missing the subjects:
`subjects:
name: eks-vpc-resource-controller
namespace: kube-system
name: vpc-resource-controller
namespace: kube-system`
Thus, the controller was not able to annotate the pod object.