Mutation Webhooks in EKS isn't working when calico used as cni

Question

I want to replace aws-node cni to calico. I've removed aws-node daemonset and installed calico. Network between pods works great, but when I'm using mutation webhooks, kube-api-server couldn't connect to the target service, because there are no routes from it to pods:

E0304 15:41:02.131212       1 dispatcher.go:71] failed calling webhook "secrets.vault.admission.banzaicloud.com": Post https://vault-secrets-webhook.vault.svc:443/secrets?timeout=30s: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

The service has endpoinds and it's available from pods. If I'm using default cni, connection from kube-api-server to webhook's service works, because main vpc route table has necessary routes. Is it possible to solve this problem?

score 0 · Answer 1 · answered Mar 05 '20 at 06:58

0

I hope you are following the docs mentioned here https://docs.aws.amazon.com/eks/latest/userguide/calico.html

This calico runs along with aws-cni ie you still need aws-node.

If you wanna replace aws-cni with stock calico it is still possible but it isn't tested and you will lose features of EKS which depend on aws-node.

So if you are just looking for better security on EKS just install calico on the existing EKS and it is officially supported.

answered Mar 05 '20 at 06:58

Tummala Dhanvi

3,007
2
19
35

Thank you. I want to replace aws-cni with stock calico not only for security reasons. – Nycodym Achuprynkin Mar 05 '20 at 07:38
https://docs.projectcalico.org/getting-started/kubernetes/installation/calico are the docs – Tummala Dhanvi Mar 05 '20 at 07:42

Mutation Webhooks in EKS isn't working when calico used as cni

1 Answers1