AWS EKS security group linkerd readinessprobe failure

Help Kubernetes
#1

I’ve got a namespace with the annotation for linkerd.io/inject: enabled set and within that I have a deployment with a securitygroup policy applied to it https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html).

That policy allows 0.0.0.0/0 inbound and outbound (for testing) but whenever we apply it to the deployment using the matchLabels we see a readiness probe failure come from linkerd;

Warning Unhealthy 8s kubelet Readiness probe failed: HTTP probe failed with statuscode: 503

Nothing in the logs by way of error from the linkerd-init nor linkerd-proxy container. If I disable linkerd injection then the container starts fine, if I disable the security group and enable linkerd then linkerd works fine

#2

Hi @mrgavinconway, does the security group allow for communication between namespaces?

You can also check the events with kubectl get ev -n linkerd.

That link you sent mentions the AWS CNI. Are you using the Linkerd CNI plugin as well?

#3

I’ve got no events showing in the linkerd namespace. For the linkerd cni plugin, we’re using the AWS CNI, do we have to use the other one?

#4

@mrgavinconway, the Linkerd CNI Plugin works with CNI providers like AWS CNI.

The Linkerd CNI plugin conforms to the specification so that when the CNI provider makes CNI calls, the plugin will execute logic that is necessary to run the associated program. In Linkerd’s case, the CNI plugin executes iptables commands to configure the iptables rules of the Pod to route traffic through the proxy. If the Linkerd CNI plugin is not run, then the security group rules may be preventing the proxy from getting traffic.

Were you able to confirm whether the security group allows for inter-namespace communication?

It’s also worth using kubectl logs to get the logs from the linkerd-proxy for the Deployment that you injected. Is the service itself getting any traffic?