-
Notifications
You must be signed in to change notification settings - Fork 774
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to retrieve instance data from ec2 metadata #2031
Comments
Hi @brizaldi, the EBS CSI Driver's node service requires some source of instance/node metadata to function. By default, we attempt to use the EC2 Instance Metadata service, but fallback to querying the Kubernetes API. These errors point to neither source being reachable. You will need to provide the EBS CSI Node pods with access to either IMDS (for example, by raising the hop limit, see our FAQ) or the Kubernetes API server (by finding and configuring what is blocking its access to enable communication between the pod and the Kubernetes API) for it to function. Please ignore the |
I've already tried to set the hop limit to either 2 or 3, but still got the same error here's what I've setup on terraform:
Btw do you know what port it used to communicate between the pod and Kubernetes API? I suspect it might be because I used CIS benchmark AMI, and they maybe blocked the ports. Since when I tried to use the usual Amazon Linux AMI there's no error happened. |
IMDS is reached via contacting the special IP |
I imagine the right outcome here is for the aws-ebs-csi-driver to add support for IMDSv2, especially now that AWS is pushing so hard for it and defaulting to disabling IMDSv1. |
@dghubble The EBS CSI driver does support IMDSv2 and will use it if available, however the default IMDSv2 configuration prevents containers from accessing it. You can give the EBS CSI Driver access by running it in host networking mode, or you can give all containers access (note: generally considered a security bad practice) by increasing IMDSv2's hop limit. |
Facing the same issue . Any update in fix ? |
The fix is to configure your cluster so that the EBS CSI Driver node pods have access to either IMDS or the Kubernetes API. Access to one of the two is a hard requirement for use of the EBS CSI Driver. |
@ConnorJC3 These are AWS managed addons . How do we
from node level its working good when trying to reaching below Kubernetes API . faced issue when moved from rhel 7 to rhel 9 ami only doe ebs add on and also core dns. on older rhel 7 its working good if reverted .
EBS addon logs: I0618 15:14:03.963302 1 main.go:135] Version: v2.10.1 goroutine 1 [running]: coredns logs: [INFO] plugin/reload: Running configuration SHA512 = 8a7d59126e7f114ab49c6d2613be93d8ef7d408af8ee61a710210843dc409f03133727e38f64469d9bb180f396c84ebf48a42bde3b3769730865ca9df5eb281c |
Your logs likely indicate a networking issue, I would check if your pod networking (CNI plugin) is working. |
Since I need the cluster to be ready soon, I switched to using the Bottlerocket image, which also has the CIS Bottlerocket Benchmark Level 1 out of the box. I will let you guys decide whether to close this issue or keep it open for discussion. Thanks. |
/close Because this does not appear to be a bug in the driver itself, and is rather an issue with the CIS image, I'm going to close this issue out. Please reopen this issue or create a new issue if further support is needed. |
@ConnorJC3: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
We're currently using CIS Amazon Linux 2 running on kubernetes version 1.29 and getting this error:
ebs-csi-node
The text was updated successfully, but these errors were encountered: