Aws-load-balancer-controller: dial tcp: lookup tagging.us-east-1.amazonaws.com on 10.100.0.10:53: no such host

Created on 18 Jan 2019  路  12Comments  路  Source: kubernetes-sigs/aws-load-balancer-controller

Hi,
when I deploy on AWS Eks Cluster (eks_consul) the aws-alb-ingress-controller, I am facing the issue:

I0118 10:46:07.170763       1 api.go:159] Request: tagging/GetResources, Payload: {  ResourceTypeFilters: ["ec2"],  ResourcesPerPage: 50,  TagFilters: [{      Key: "kubernetes.io/role/internal-elb",      Values: ["","1"]    },{      Key: "kubernetes.io/cluster/eks_consul",      Values: ["owned","shared"]    }]}
E0118 10:46:07.175401       1 request_pagination.go:105] Failed request: tagging/GetResources, Payload: {  ResourceTypeFilters: ["ec2"],  ResourcesPerPage: 50,  TagFilters: [{      Key: "kubernetes.io/role/internal-elb",      Values: ["","1"]    },{      Key: "kubernetes.io/cluster/eks_consul",      Values: ["owned","shared"]    }]}, Error: RequestError: send request failed
caused by: Post https://tagging.us-east-1.amazonaws.com/: dial tcp: lookup tagging.us-east-1.amazonaws.com on 10.100.0.10:53: no such host
E0118 10:46:07.175523       1 :0] kubebuilder/controller "msg"="Reconciler error" "error"="failed to build LoadBalancer configuration due to failed to get AWS tags. Error: RequestError: send request failed\ncaused by: Post https://tagging.us-east-1.amazonaws.com/: dial tcp: lookup tagging.us-east-1.amazonaws.com on 10.100.0.10:53: no such host"  "Controller"="alb-ingress-controller" "Request"={"Namespace":"2048-game","Name":"2048-ingress"}

kubectl edit deployment.apps/eks-aws-alb1-aws-alb-ingress-controller -n kube-system 

...
        - --cluster-name=eks_consul
        - --ingress-class=alb
        - --aws-api-debug
...

where "eks_consul" is my EKS cluster name.

So, AWS does not create the ALB service ...
I don't understand the problem with the tag

Thanks
Maurice

lifecyclrotten
Source
picture moris1amar

Most helpful comment

I also encountered this situation and it was not due to security groups. Finally, I discovered that environment variable AWS_VPC_K8S_CNI_EXTERNALSNAT must be set true on the aws-node DaemonSet if workers are run in a private subnet and use a NAT gateway in a private subnet to access the internet.

```
$ kubectl edit -n kube-system ds aws-node
...
containers:
- env:
# IMPORTANT When workers run in a private subnet and use a NAT gateway
# This must be true to use the external SNAT, not SNAT within CNI
# https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html
- name: AWS_VPC_K8S_CNI_EXTERNALSNAT
value: "true"
...

picture hobti01 on 12 Feb 2019
👍2

All 12 comments

Also, I have

kubectl edit ing 2048-ingress -n 2048-game

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: /
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/tags: app=2048,Environment=testing,AWSAlbIngressController=true
    alb.ingress.kubernetes.io/target-type: ip
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","kubernetes.io/ingress.class":"alb"},"labels":{"app":"2048-ingress"},"name":"2048-ingress","namespace":"2048-game"},"spec":{"rules":[{"http":{"paths":[{"backend":{"serviceName":"service-2048","servicePort":80},"path":"/*"}]}}]}}
    kubernetes.io/ingress.class: alb
    kubernetes.io/ingress.subnets: subnet-5666df21,subnet-4907c262
  creationTimestamp: 2019-01-17T13:32:02Z
  generation: 1
  labels:
    app: 2048-ingress
  name: 2048-ingress
  namespace: 2048-game
  resourceVersion: "2115642"
  selfLink: /apis/extensions/v1beta1/namespaces/2048-game/ingresses/2048-ingress
  uid: 45b8047a-1a5c-11e9-bde7-0a2ea8adb6ba
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: service-2048
          servicePort: 80
        path: /*
status:
  loadBalancer: {}

thanks for any help
Maurice

moris1amar picture moris1amar on 18 Jan 2019

Hi,
Your ingress spec is fine.

From the error message, there is some problem with kube-system/kube-dns in your cluster(it's not the controller's problem).
Did you setup some networkACL or securityGroup in your VPC that blocked out-going DNS requests?

M00nF1sh picture M00nF1sh on 18 Jan 2019

thanks, I need to check the issue with my kubeDNS and update

moris1amar picture moris1amar on 21 Jan 2019

@moris1amar
Just encountered same issue, and digged it out.
Are you creating using eksctl with privateNetworking==true?
If so, there is bug that node-to-node community is blocked, so these pods on worker node cannot talk to kubedns/coredns (also on worker nodes).
Adding a inbound UDP/53->nodeSecurityGroup rule on your nodeSecurityGroup will resolve it 馃槃
Though it should be fixed in eksctl

M00nF1sh picture M00nF1sh on 29 Jan 2019
👍1

I also encountered this situation and it was not due to security groups. Finally, I discovered that environment variable AWS_VPC_K8S_CNI_EXTERNALSNAT must be set true on the aws-node DaemonSet if workers are run in a private subnet and use a NAT gateway in a private subnet to access the internet.

```
$ kubectl edit -n kube-system ds aws-node
...
containers:
- env:
# IMPORTANT When workers run in a private subnet and use a NAT gateway
# This must be true to use the external SNAT, not SNAT within CNI
# https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html
- name: AWS_VPC_K8S_CNI_EXTERNALSNAT
value: "true"
...

hobti01 picture hobti01 on 12 Feb 2019
👍2

@hobti01 do you recall if you had to do anything special after that update? Or did it work in real time after you made the change?

iantype picture iantype on 29 Mar 2019

After editing the DaemonSet, nodes were registered in real time as the Pod on each node was replaced.

hobti01 picture hobti01 on 1 Apr 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 30 Jun 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 30 Jul 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot picture fejta-bot on 29 Aug 2019

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 29 Aug 2019

anybody tried with kops, am facing the same issue, I am using kops to create the cluster

KSVarun picture KSVarun on 14 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JakubJecminek picture JakubJecminek  路  5Comments
rdubya16 picture rdubya16  路  4Comments
khacminh picture khacminh  路  3Comments
jcderr picture jcderr  路  3Comments
hieu29791 picture hieu29791  路  4Comments