Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CloudWatch Agent fails to authenticate: IMDS Issues #75

Open
kwangjong opened this issue Jul 31, 2024 · 8 comments
Open

CloudWatch Agent fails to authenticate: IMDS Issues #75

kwangjong opened this issue Jul 31, 2024 · 8 comments

Comments

@kwangjong
Copy link

kwangjong commented Jul 31, 2024

same issue as this: aws/amazon-cloudwatch-agent#1101

I solved it by modifying /cloudwatch-agent-daemonset.yaml like this:

apiVersion: cloudwatch.aws.amazon.com/v1alpha1
kind: AmazonCloudWatchAgent
metadata:
  name: {{ template "cloudwatch-agent.name" . }}
  namespace: {{ .Release.Namespace }}
spec:
+ hostNetwork: true
  image: {{ template "cloudwatch-agent.image" . }}
  mode: daemonset
  ...
  env:
+ - name: RUN_WITH_IRSA
+   value: "True"
  - name: K8S_NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
  ...

And, configured Gatekeeper to restrict the hostnetwork access exclusive to cloudwatch agent.
As this doc recommends to block IMDS access from unwanted pods:
https://docs.aws.amazon.com/whitepapers/latest/security-practices-multi-tenant-saas-applications-eks/restrict-the-use-of-host-networking-and-block-access-to-instance-metadata-service.html

But, there needs to be more robust and permanent solution to address this issue.

@lisguo
Copy link
Contributor

lisguo commented Aug 8, 2024

Hello, we are aware of the issue. We are evaluating a solution where we run the cloudwatch agent pod with hostNetwork: true to resolve the hop limit restriction.

Just to clarify, you need both hostNetwork: true AND RUN_WITH_IRSA set to true as an environment variable?

@kwangjong
Copy link
Author

kwangjong commented Aug 9, 2024

yes. without setting RUN_WITH_IRSA to True, the pod attempted to authenticate using /root/.aws/credentials in my case.

@lisguo
Copy link
Contributor

lisguo commented Aug 12, 2024

Can you clarify what your cluster setup looks like? Are you using EKS? Native K8s on EC2?

@dbcelm
Copy link

dbcelm commented Aug 13, 2024

Using EKS 1.29 with BottleRocketOS AMI nodes [IMDSv2 with hop-limit:2] and facing credentials not found issue within cloudwatch-agents pods, fluentbit works fine though after annotating "cloudwatch-agent" SA with IRSA that both fluentbit and cloudwatch-agent daemonsets share.

Adding env values mentioned by @kwangjong made permissions work. Also as of now there is no way to add annotations to "cloudwatch-agent" SA from helm values file, can that be added?

Also "hostnetwork" parameter will be required for custom CNI use cases. In my case, I am using CiliumCNI and hence "hostNetwork: true" was required for agent to work

@kwangjong
Copy link
Author

Can you clarify what your cluster setup looks like? Are you using EKS? Native K8s on EC2?

I am using EKS 1.3

@jamesking-github
Copy link

I am using EKS 1.30 and seeing this issue also.

@mtavaresmedeiros
Copy link

Any update on it? @lisguo
@dbcelm, how did you pass the annotations to the service account?

@suankan
Copy link

suankan commented Dec 2, 2024

Any update on it? @lisguo @dbcelm, how did you pass the annotations to the service account?

This is how you can do it: #78

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants