Unable to Run ./aws-eks-na-cli ebpf loaded-ebpfdata On Node

Question

Unable to Run ./aws-eks-na-cli ebpf loaded-ebpfdata On Node

ndrafahl opened this issue 6 months ago · comments

We had recently upgraded the AWS CNI plugin to v1.15.4-eksbuild.1 on our 1.25 cluster, and then enabled enforcing network policies via the addon configuration.

I was walking through some of the examples (just to poke around a bit) found in the README here: https://github.com/aws/aws-network-policy-agent#network-policy-agent-cli

I went onto my managed worker node (via Systems Manager), and ran the ./aws-eks-na-cli ebpf loaded-ebpfdata command and received the following error:

2024-01-23 14:35:36.129352413 +0000 UTC m=+0.000841813 write error: can't rename log file: rename /var/log/aws-routed-eni/ebpf-sdk.log /var/log/aws-routed-eni/ebpf-sdk-2024-01-23T14-35-36.129.log: permission denied
2024-01-23 14:35:36.129486858 +0000 UTC m=+0.000976247 write error: can't rename log file: rename /var/log/aws-routed-eni/ebpf-sdk.log /var/log/aws-routed-eni/ebpf-sdk-2024-01-23T14-35-36.129.log: permission denied
2024-01-23 14:35:36.129530591 +0000 UTC m=+0.001019990 write error: can't rename log file: rename /var/log/aws-routed-eni/ebpf-sdk.log /var/log/aws-routed-eni/ebpf-sdk-2024-01-23T14-35-36.129.log: permission denied

I tried it as sudo as well, and received the following:

Failed to execute the cmd -  failed walking the bpfdirectory unable to get FD

This may be a non-issue, or a self-inflicted one, but I wanted to just reach out to make sure I'm not missing something obvious.

Thank you!

Environment:

Kubernetes version (use kubectl version): v1.25.16-eks-8cb36c9
CNI Version: v1.15.4-eksbuild.1
Network Policy Agent Version: Not Sure
OS (e.g: cat /etc/os-release): Amazon Linux 2
Kernel (e.g. uname -a): 5.10.199-190.747.amzn2.x86_64

Jayanth Varavani · Answer 1 · Wed Jan 24 2024 01:00:34 GMT+0800 (China Standard Time)

This issue is fixed with 1.0.8-rc image. Will be cutting a final release soon.

Nick · Answer 2 · Wed Jan 24 2024 01:14:31 GMT+0800 (China Standard Time)

This issue is fixed with 1.0.8-rc image. Will be cutting a final release soon.

Ah cool - thanks for the quick response.

I assume it's nothing that is causing any issues with the network policies being enforced themselves, just with running the CLI on the node?

Jayanth Varavani · Answer 3 · Wed Jan 24 2024 02:24:46 GMT+0800 (China Standard Time)

Yes it is just the CLI. No functionality impact.

Nick · Answer 4 · Wed Jan 24 2024 05:20:28 GMT+0800 (China Standard Time)

Cool - thanks a bunch @jayanthvn. I'm going to mark this one as closed. Have a good one!