search

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes
BSD 3-Clause "New" or "Revised" License
1.98k stars 319 forks source link

Upgrade kube2iam from 10.1 to 10.11 causing "Error getting instance id Get http://169.254.169.254/latest/meta-data/instance-id" #321

Open ahmsb8884 opened 3 years ago

ahmsb8884 commented 3 years ago

Team,

I have no such errors on 10.1 version and when i upgraded to 10.11 I started observing below logs

Please advise if this was reported before and is a config required issue or a bug or warning to be ignored?

k8s 1.13.5

image: xxxxx.dkr.ecr.us-west-1.amazonaws.com/third_party/kube2iam:0.10.11

time="2021-08-13T19:51:17Z" level=error msg="Error getting instance id Get \"http://169.254.169.254/latest/meta-data/instance-id\": dial tcp 169.254.169.254:80: i/o timeout"
time="2021-08-13T19:51:17Z" level=info msg="Listening on port 8181"

my spec is below

  containers:
  - args:
    - --host-interface=cali+
    - --node=$(NODE_NAME)
    - --host-ip=$(HOST_IP)
    - --iptables=true
    - --base-role-arn=arn:aws:iam::xxxx:role/
    - --debug=true
    - --default-role=kube2iam-default.xxxxx.com
    - --iam-role-key=iam.amazonaws.com/role
    - --log-format=text
    - --log-level=info
    - --namespace-key=iam.amazonaws.com/allowed-roles
    - --namespace-restrictions=true
    - --verbose
    - --app-port=8181
    env:
    - name: HOST_IP
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.podIP
    - name: NODE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    - name: AWS_ACCESS_KEY_ID
      valueFrom:
        secretKeyRef:
          key: aws_access_key_id
          name: kube2iam
    - name: AWS_SECRET_ACCESS_KEY
      valueFrom:
        secretKeyRef:
          key: aws_secret_access_key
          name: kube2iam
    - name: AWS_DEFAULT_REGION
      value: us-west-1
    image: xxxx.dkr.ecr.us-west-1.amazonaws.com/third_party/kube2iam:0.10.11
    imagePullPolicy: IfNotPresent
    name: kube2iam
    ports:
    - containerPort: 8181
      hostPort: 8181
      protocol: TCP
    resources: {}
    securityContext:
      privileged: true
      procMount: Default
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube2iam-token-bz4xb
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostNetwork: true
  imagePullSecrets:
  - name: awsecr-cred