Amazon-vpc-cni-k8s: Unable to attach trunk interface for Datadog agent Pod

Created on 11 Nov 2020  路  4Comments  路  Source: aws/amazon-vpc-cni-k8s

What happened:
All the pods using the PodSecurityGroups are running just fine apart from the Datadog agent one which is provisioned as a DS with HELM chart: https://artifacthub.io/packages/helm/datadog/datadog/2.4.5.

The errors below show that there is a kind of duplicate entry:

Normal Scheduled <invalid> default-scheduler Successfully assigned kube-system/datadog-agent-ww8l9 to ip-100-126-88-126.eu-west-1.compute.internal Normal SecurityGroupRequested <invalid> (x6 over <invalid>) vpc-resource-controller Pod will get the following Security Groups [sg-0352e4ad4a4386e08] Warning BranchAllocationFailed <invalid> (x5 over <invalid>) vpc-resource-controller failed to allocate branch ENI to pod: cannot create new eni entry already exist, older entry : [0xc00027d9d0]

Below is the status of the Pod:

Containers: agent: Container ID: Image: datadog/agent:7.21.1 Image ID: Port: 8125/UDP Host Port: 0/UDP Command: agent run State: Waiting Reason: PodInitializing Ready: False Restart Count: 0 Limits: vpc.amazonaws.com/pod-eni: 1 Requests: vpc.amazonaws.com/pod-eni: 1 Liveness: http-get http://:5555/live delay=15s timeout=5s period=15s #success=1 #failure=6 Readiness: http-get http://:5555/ready delay=15s timeout=5s period=15s #success=1 #failure=6 Environment: DD_API_KEY: yyyyy Optional: false DD_KUBERNETES_KUBELET_HOST: (v1:status.hostIP)

Environment:

  • Kubernetes version (use kubectl version): v1.17.9-eks-a84824
  • CNI Version: 1.7.5
  • OS (e.g: cat /etc/os-release): AL2_x86_64

Thank you,

needs investigation question

Most helpful comment

Hi @jayanthvn,
Thx a lot. As per our discussion the problem was that ClusterRoleBinding for the Group eks:podsecuritypolicy:privileged was missing the subjects:

`subjects:

  • kind: ServiceAccount
    name: eks-vpc-resource-controller
    namespace: kube-system
  • kind: ServiceAccount
    name: vpc-resource-controller
    namespace: kube-system`

Thus, the controller was not able to annotate the pod object.

All 4 comments

Hi @atimush

Can you please email me ([email protected]) with cluster ARN?

Also can you please confirm if you are using PSP? Can you also share the o/p of the below CLI and describe of the PSP?

kubectl get psp -n kube-system

Thank you!

Hi @jayanthvn,
I've just sent the details in the mail box.
Thank you

Hi @jayanthvn,
Thx a lot. As per our discussion the problem was that ClusterRoleBinding for the Group eks:podsecuritypolicy:privileged was missing the subjects:

`subjects:

  • kind: ServiceAccount
    name: eks-vpc-resource-controller
    namespace: kube-system
  • kind: ServiceAccount
    name: vpc-resource-controller
    namespace: kube-system`

Thus, the controller was not able to annotate the pod object.

Opened an issue in the VPC Resource Controller Repository as well for better visibility in case other user run into this issue - https://github.com/aws/amazon-vpc-resource-controller-k8s/issues/8

Was this page helpful?
0 / 5 - 0 ratings