You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Resulting in the following error in the datadog-agent-cluster pod logs for auto-detect on pod startup:
...
cluster-agent 2024-12-18 23:36:06 UTC | CLUSTER | WARN | (subcommands/start/command.go:335 in start) | Failed to auto-detect a Kubernetes cluster name. We recommend you set it manually via the cluster_name config option
...
However using the same namespace and an adhoc container I can successfully run: aws ec2 describe-instances from the aws cli using the same EKS pod identity:
Apply the manifest to test from the cluster's namespace:
$ kubectl apply -f ./pod.yaml
Confirm that pod associate is working for the namespace and serviceaccount:
$ kubectl exec -n datadog --stdin --tty aws-debug -- /bin/sh
sh-4.2# aws sts get-caller-identity
...# Confirm that identity is actually the pod
sh-4.2# aws ec2 describe-instances
...# See the json returning all ec2 instances in region
EKS Pod Identity provides an alternative way of authenticating with IAM at the pod boundary. Its an alternative to the IRSA approach for IAM role usage inside pods. I would expect the datadog-cluster-agent to pickup IAM credentials from the environment token set by EKS Pod Identity.
Currently, the Agent and Cluster-Agent do not yet support the EKS Pod Identity feature. However, this is on our radar, and we’ll make sure to update the community once we’ve made progress on implementing this functionality. We appreciate your understanding and patience in the meantime!
sarcasticadmin
changed the title
[BUG] datadog-cluster-agent auto-detect failure with using EKS pod identity
[BUG] datadog-cluster-agent auto-detect failure when using EKS pod identity
Dec 24, 2024
Agent Environment
datadog:
Describe what happened:
Unable to leverage EKS Pod Identity
Resulting in the following error in the
datadog-agent-cluster
pod logs forauto-detect
on pod startup:However using the same namespace and an adhoc container I can successfully run:
aws ec2 describe-instances
from the aws cli using the same EKS pod identity:Apply the manifest to test from the cluster's namespace:
Confirm that pod associate is working for the namespace and serviceaccount:
Describe what you expected:
In order for
auto-detect
for EKS cluster name to work it requires theec2:DescribeInstances
: https://docs.datadoghq.com/containers/guide/kubernetes-cluster-name-detection/EKS Pod Identity provides an alternative way of authenticating with IAM at the pod boundary. Its an alternative to the IRSA approach for IAM role usage inside pods. I would expect the datadog-cluster-agent to pickup IAM credentials from the environment token set by EKS Pod Identity.
Steps to reproduce the issue:
namespace:
datadog
serviceAccount:
datadog-cluster-agent
IAM trust relationship:
IAM permission policies:
Additional environment details (Operating System, Cloud provider, etc):
Datadog:
EKS:
This could be a similar issue to the ignoring of local environment variables during initialization of the ec2 client required for IRSA: #29916
The text was updated successfully, but these errors were encountered: