-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CloudWatch Agent fails to authenticate: IMDS Issues #75
Comments
Hello, we are aware of the issue. We are evaluating a solution where we run the cloudwatch agent pod with Just to clarify, you need both |
yes. without setting |
Can you clarify what your cluster setup looks like? Are you using EKS? Native K8s on EC2? |
Using EKS 1.29 with BottleRocketOS AMI nodes [IMDSv2 with hop-limit:2] and facing credentials not found issue within cloudwatch-agents pods, fluentbit works fine though after annotating "cloudwatch-agent" SA with IRSA that both fluentbit and cloudwatch-agent daemonsets share. Adding env values mentioned by @kwangjong made permissions work. Also as of now there is no way to add annotations to "cloudwatch-agent" SA from helm values file, can that be added? Also "hostnetwork" parameter will be required for custom CNI use cases. In my case, I am using CiliumCNI and hence "hostNetwork: true" was required for agent to work |
I am using EKS 1.3 |
I am using EKS 1.30 and seeing this issue also. |
same issue as this: aws/amazon-cloudwatch-agent#1101
I solved it by modifying
/cloudwatch-agent-daemonset.yaml
like this:And, configured Gatekeeper to restrict the hostnetwork access exclusive to cloudwatch agent.
As this doc recommends to block IMDS access from unwanted pods:
https://docs.aws.amazon.com/whitepapers/latest/security-practices-multi-tenant-saas-applications-eks/restrict-the-use-of-host-networking-and-block-access-to-instance-metadata-service.html
But, there needs to be more robust and permanent solution to address this issue.
The text was updated successfully, but these errors were encountered: