Nodes no longer labeled with "vpc.amazonaws.com/has-trunk-attached"
vgunapati opened this issue · 5 comments
What happened:
Looks like starting from 1.15.x for security groups for pods when setting the environment variable ENABLE_POD_ENI=true the node label with the key vpc.amazonaws.com/has-trunk-attached is no longer patched, is this expected?
This makes pods stuck in pending if the vpc.amazonaws.com/has-trunk-attached is used as a label selector on pods
Official documentation still says this should be available on the node object https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
Attach logs
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version): v1.25.11-eks-a5565ad - CNI Version: 1.15.4
- OS (e.g:
cat /etc/os-release): - Kernel (e.g.
uname -a):
@vgunapati Yes, this is expected, as VPC CNI migrated from a label-based approach (vpc.amazonaws.com/has-trunk-attached) to a CRD-based approach (CNINode) in v1.15.0+. The release notes for v1.15.0 call out CNINode, but it looks like they do not properly mention that vpc.amazonaws.com/has-trunk-attached is deprecated.
As for the public docs, the update has been in progress for some time. I will push on that internally.
@jdn5126 Thank you for the quick response and providing the necessary information. It would be helpful to include this type of change in the release notes to avoid any usage prior to the upgrade.
Definitely, I apologize for missing that. I will add it to the release notes now.
Updated
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.