Open sschamp opened 1 month ago
/kind bug
@sschamp, hi, it might be the ec2 instance use hop limit as 1 for default, can you change the hop limit to 2 and see if it fixes the issue? or you can specify the --aws-vpc-id
directly through the controller flag.
see: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/installation/#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2
I went with the option of manually specifying --aws-vpc-id
and all is well again.
This issue can be closed.
Thanks for the confirmation, closing it now.
Thanks for the confirmation, closing it now.
Can we please reopen? Although setting --aws-vpc-id
works this is not matching the documentation, which states that if it's not specified it will be auto-detected (which works for Amazon Linux 2 but not for 2023). This is a breaking change that more people will likely encounter as AL2023 get more exposed.
@fcuello-fudo, can you check your instance hop limit? in order for the controller to fetch the vpc id it requires the hop limit to be at least 2 we call out in live doc: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/installation/#using-the-amazon-ec2-instance-metadata-server-version-2-imdsv2
By default, AL2023 nodes in a managed node group have the hop limit set to 1: https://aws.amazon.com/blogs/containers/amazon-eks-optimized-amazon-linux-2023-amis-now-available/
For IMDSv2 the default hop count for MNG is set to 1.
Can we update the docs as this is a breaking change on the load balancer controller which users won't immediately be aware of.
Can we update the docs as this is a breaking change on the load balancer controller which users won't immediately be aware of.
Yeah, that was also my point.
/kind documentation
Describe the bug The pods fail to run on EKS Nodes which are using AL2023 instead of AL2:
Steps to reproduce
Amazon Linux 2023 (x86_64) Standard (AL2023_x86_64_STANDARD)
aws-load-balancer-controller-*
on the new Nodes (either by setting NodeAffinity, or by using a New Cluster)Expected outcome The Pods to be able to read the meta-data of the Node Instance.
Environment
Additional Context:
It might be because AL2023 no longer allows you to query
http://169.254.169.254/latest/meta-data/
directly. They have started using IMDSv2 instead of IMDSv1. (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html) You need to provide a token first:curl -s http://169.254.169.254/latest/meta-data/ --header "X-aws-ec2-metadata-token: $TOKEN"
eg:
/usr/bin/curl --noproxy '*' -w "\n" -s -H "X-aws-ec2-metadata-token: $(curl --noproxy '*' -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" http://169.254.169.254/latest/meta-data/instance-id