You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When network policy is enabled on VPC CNI add-on, a second container is added to the aws-node pod for a node agent. This node agent can send the network policy logs to CloudWatch logs.
With the current configuration, aws-node is in a CrashLoopBackOff state because that container does not have the right permissions related to CloudWatch logs.
✋ I have searched the open/closed issues and my issue is not listed.
Versions
Module version: 5.39.0
Terraform version: 1.8.2
Provider version(s): 5.48.0
Reproduction Code
I am creating the EKS cluster by using the AWS EKS Terraform module 20.8.5. When setting up the cluster addons I am enabling the Network Policy and the Network Policy logs as we can see below:
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "20.8.5"
cluster_addons = {
coredns = {
addon_version = var.cluster_addons_versions.coredns
}
kube-proxy = { # Upgrade of this component usually makes sense after the control plane upgrade
addon_version = var.cluster_addons_versions.kube_proxy
}
vpc-cni = {
before_compute = true
addon_version = var.cluster_addons_versions.vpc_cni
service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
configuration_values = jsonencode({
"enableNetworkPolicy" : "true", <==== here
"nodeAgent" : { <===== here
"enablePolicyEventLogs" : "true",
"enableCloudWatchLogs" : "true"
}
})
}
The IRSA role is created by using the submodule iam-role-for-service-accounts-eks in this repo.
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
Description
Submodule: iam-role-for-service-accounts-eks
The VPC CNI Policy in https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.39.0/modules/iam-role-for-service-accounts-eks/policies.tf is missing some permissions when AWS VPC CNI Network Policy logs are enabled
When network policy is enabled on VPC CNI add-on, a second container is added to the
aws-node
pod for a node agent. This node agent can send the network policy logs to CloudWatch logs.With the current configuration,
aws-node
is in a CrashLoopBackOff state because that container does not have the right permissions related to CloudWatch logs.Versions
Module version: 5.39.0
Terraform version: 1.8.2
Provider version(s): 5.48.0
Reproduction Code
I am creating the EKS cluster by using the AWS EKS Terraform module 20.8.5. When setting up the cluster addons I am enabling the Network Policy and the Network Policy logs as we can see below:
The IRSA role is created by using the submodule iam-role-for-service-accounts-eks in this repo.
Expected behavior
It would be nice to add those permissions to the policy file.
Based on https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup the following permissions should be added
Actual behavior
aws-node
is in a CrashLoopBackOff state because that policy does not have the right permissions related to CloudWatch logs.The text was updated successfully, but these errors were encountered: