-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS] [BAD-DECISION]: EKS Pod Identity agent daemonset mapped to node-port 80 #2356
Comments
The EKS Pod Identity Agent only binds to the address on link-local interface created by the initial setup. Specifically, the call to bind binds to port 80 on the following IP addresses:
You can get around this limitation by specifying the address of the interface you are trying to bind to port 80. eg if you are doing a To know the primary IP that your instance has you can run
Alternatively you can use EC2's |
@vpineda1996 it hijacks port-80 on the node; If I deploy haproxy ingress daemonset on hostnetwork and use a random port e.g. 30680 it will work fine. |
This just took down all my nginx ingress the same way. Had to remove the addon and delete the daemonset to fix. |
fyi code is here now - https://github.com/aws/eks-pod-identity-agent - can we please move this to an issue there? 🙏🏾 |
thanks @ChrisMcKee |
Community Note
Tell us about your request
What do you want us to build?
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.
We tried to install the eks-pod-identity-agent addon so that we could set the auth config to allow both options.
The addon installs as a daemonset with HostNetwork set to true, pod permissions to map to the node, and a default port set to 80.
The instant that the service started to install, all of our Haproxy ingress pods were evicted so that the identity service could map to port 80.
I'd love to know the rationale that went into choosing to map the node-port to what is literally the main http port; and then not to document how to change it to avoid collisions. Through all the documentation that mentions it the only warning is here https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html#pod-id-considerations and it's a note rather than informative. The majority of links go straight to https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html which doesnt mention it at all.
Are you currently working around this issue?
How are you currently solving this problem?
Uninstalled the Addon
The text was updated successfully, but these errors were encountered: