Installing or updating the Amazon VPC CNI plugin for Kubernetes metrics helper add-on
The Amazon VPC CNI plugin for Kubernetes metrics helper is a tool that you can use to scrape network
interface and IP address information, aggregate metrics at the cluster level, and publish
the metrics to Amazon CloudWatch. To learn more about the metrics helper, see cni-metrics-helper
When managing an Amazon EKS cluster, you might want to know how many IP addresses have been assigned and how many are available. The Amazon VPC CNI plugin for Kubernetes metrics helper helps you to:
-
Track these metrics over time
-
Troubleshoot and diagnose issues related to IP assignment and reclamation
-
Provide insights for capacity planning
When a node is provisioned, the Amazon VPC CNI plugin for Kubernetes automatically allocates a pool of
secondary IP addresses from the node's subnet to the primary network interface
(eth0
). This pool of IP addresses is known as the warm
pool, and its size is determined by the node's instance type. For example, a
c4.large
instance can support three network interfaces and nine IP
addresses per interface. The number of IP addresses available for a given pod
is one less than the maximum (of ten) because one of the IP addresses is reserved for the
elastic network interface itself. For more information, see IP Addresses Per Network Interface
Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
As the pool of IP addresses is depleted, the plugin automatically attaches another elastic network interface to the instance and allocates another set of secondary IP addresses to that interface. This process continues until the node can no longer support additional elastic network interfaces.
The following metrics are collected for your cluster and exported to CloudWatch:
-
The maximum number of network interfaces that the cluster can support
-
The number of network interfaces have been allocated to pods
-
The number of IP addresses currently assigned to pods
-
The total and maximum numbers of IP addresses available
-
The number of ipamD errors
Prerequisites
-
An existing Amazon Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see Creating an IAM OIDC provider for your cluster.
-
Version
2.11.3
or later or1.27.93
or later of the Amazon CLI installed and configured on your device or Amazon CloudShell. You can check your current version withaws --version | cut -d / -f2 | cut -d ' ' -f1
. Package managers suchyum
,apt-get
, or Homebrew for macOS are often several versions behind the latest version of the Amazon CLI. To install the latest version, see Installing, updating, and uninstalling the Amazon CLI and Quick configuration withaws configure
in the Amazon Command Line Interface User Guide. The Amazon CLI version installed in the Amazon CloudShell may also be several versions behind the latest version. To update it, see Installing Amazon CLI to your home directory in the Amazon CloudShell User Guide. -
The
kubectl
command line tool is installed on your device or Amazon CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is1.24
, you can usekubectl
version1.23
,1.24
, or1.25
with it. To install or upgradekubectl
, see Installing or updating kubectl. -
If your cluster is
1.21
or later, make sure that your Amazon VPC CNI plugin for Kubernetes,kube-proxy
, and CoreDNS add-ons are at the minimum versions listed in Service account tokens.
Deploy or update the CNI metrics helper
Create an IAM policy and role and deploy the metrics helper. If you previously created an IAM role for the add-on's service account to use you can skip to the Determine the version of the Amazon VPC CNI plugin for Kubernetes that's installed on your cluster step.
To deploy the CNI metrics helper
-
Create an IAM policy that grants the CNI metrics helper
cloudwatch:PutMetricData
permissions to send metric data to CloudWatch.-
Run the following command to create a file named
cni-metrics-helper-policy.json
.cat >cni-metrics-helper-policy.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "ec2:DescribeTags" ], "Resource": "*" } ] } EOF
-
Create an IAM policy named
.AmazonEKSVPCCNIMetricsHelperPolicy
aws iam create-policy --policy-name
AmazonEKSVPCCNIMetricsHelperPolicy
\ --description "Grants permission to write metrics to CloudWatch" \ --policy-document file://cni-metrics-helper-policy.json
-
-
Retrieve your Amazon account ID and store it in a variable.
account_id=$(aws sts get-caller-identity --query Account --output text)
Confirm that the variable is set.
echo $account_id
The example output is as follows.
111122223333
-
Create an IAM role and attach the IAM policy to it. Create a Kubernetes service account. Annotate the Kubernetes service account with the IAM role ARN and the IAM role with the Kubernetes service account name. You can create the role using
eksctl
or the Amazon CLI. -
Verify that the role you created is configured correctly.
-
Verify the trust policy for the role.
aws iam get-role --role-name
AmazonEKSVPCCNIMetricsHelperRole-my-cluster
--query Role.AssumeRolePolicyDocument.Statement[]The example output is as follows.
[ { "Effect": "Allow", "Principal": { "Federated": "arn:aws-cn:iam::oidc.eks.
region-code
.amazonaws.com.cn/id/EXAMPLED539D4633E53DE1B71EXAMPLE
" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.region-code
.amazonaws.com.cn/id/EXAMPLED539D4633E53DE1B71EXAMPLE
:sub": "system:serviceaccount:kube-system:cni-metrics-helper", "oidc.eks.region-code
.amazonaws.com.cn/id/EXAMPLED539D4633E53DE1B71EXAMPLE
:aud": "sts.amazonaws.com" } } } ] -
Verify that your cluster's OIDC provider matches the provider returned in the previous step.
aws eks describe-cluster --name
my-cluster
--query "cluster.identity.oidc.issuer" --output text | cut -c9-The example output is as follows.
oidc.eks.
region-code
.amazonaws.com.cn/id/EXAMPLED539D4633E53DE1B71EXAMPLE
-
-
Determine the version of the Amazon VPC CNI plugin for Kubernetes that's installed on your cluster.
kubectl describe daemonset aws-node -n kube-system | grep amazon-k8s-cni: | cut -d ":" -f3 | cut -d "v" -f2 | cut -d "-" -f1
The example output is as follows.
1.11.4
In the previous output,
1
is the major version,11
is the minor version, and4
is the patch version. -
To add the same version of the CNI metrics helper to your cluster (or to update to the same version) as your Amazon VPC CNI plugin for Kubernetes, run the following command for the Amazon Web Services Region that your cluster is in.
Important You can only update one minor version at a time. For example, if your current minor version is
1.10
and you want to update to1.12
, then you must update to1.11
first, then update to1.12
. You can however, update more than one patch version at a time. For example, you can update directly from1.11.2
to1.11.4
. If you need to update to a version that is earlier or later than the version listed in the following commands, then see Releaseson GitHub. The URL for each version is listed in the To apply this release:
section of the release note. Replace theportion
of the following URLs with the same portion of the URL in the release note.China (Beijing) (
cn-north-1
) or China (Ningxia) (cn-northwest-1
)kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/
v1.12.1/config/master
/cni-metrics-helper-cn.yaml -
If you previously configured an IAM role for the add-on's service account to use you can skip to the Restart the cni-metrics-helper deployment step.
Annotate the
cni-metrics-helper
Kubernetes service account created in a previous step with the ARN of the IAM role that you created previously. Replace
with your cluster name andmy-cluster
with the name of the IAM role that you created in a previous step.AmazonEKSVPCCNIMetricsHelperRole-my-cluster
kubectl annotate serviceaccount cni-metrics-helper -n kube-system \ eks.amazonaws.com/role-arn=arn:aws-cn:iam::$account_id:role/
AmazonEKSVPCCNIMetricsHelperRole-my-cluster
(Optional) Configure the Amazon Security Token Service endpoint type used by your Kubernetes service account. For more information, see Configuring the Amazon Security Token Service endpoint for a service account.
-
Restart the
cni-metrics-helper
deployment.kubectl rollout restart deployment cni-metrics-helper -n kube-system
-
Confirm the version of the metrics helper that you deployed.
kubectl describe deployment cni-metrics-helper -n kube-system | grep cni-metrics-helper: | cut -d ":" -f 3
The example output is as follows.
v
1.12.1
Creating a metrics dashboard
After you have deployed the CNI metrics helper, you can view the CNI metrics in the Amazon CloudWatch console. This topic helps you to create a dashboard for viewing your cluster's CNI metrics.
To create a CNI metrics dashboard
-
Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/
. -
In the left navigation pane, choose Metrics and then select All metrics.
-
Choose the Graphed metrics tab.
-
Choose Add metrics using browse or query.
-
Make sure that under Metrics, you've selected the Amazon Web Services Region for your cluster.
-
In the Search box, enter
Kubernetes
and then pressEnter
. -
Select the metrics that you want to add to the dashboard.
-
At the upper right of the console, select Actions, and then Add to dashboard.
-
In the Select a dashboard section, choose Create new, enter a name for your dashboard, such as
EKS-CNI-metrics
, and then choose Create. -
In the Widget type section, select Number.
-
In the Customize widget title section, enter a logical name for your dashboard title, such as
EKS CNI metrics
. -
Choose Add to dashboard to finish. Now your CNI metrics are added to a dashboard that you can monitor. For more information about Amazon CloudWatch Logs metrics, see Using Amazon CloudWatch metrics in the Amazon CloudWatch User Guide.