aws-application-networking-k8s icon indicating copy to clipboard operation
aws-application-networking-k8s copied to clipboard
verified publisher icon aws

Docs: Install Gateway API Controller on EKS Auto Mode

Open sdarwin opened this issue 8 months ago • 3 comments

Hi,

Please adjust the installation docs to discuss EKS Auto Mode... https://www.gateway-api-controller.eks.aws.dev/dev/guides/deploy/

Issue 1: "Set up the Pod Identities Agent". When testing Auto Mode, I get a conflict on port 80. There is an open bug about that here https://github.com/aws/eks-pod-identity-agent/issues/10. I was not running a competing service on port 80 so it seems like this is endemic to Auto Mode. Perhaps write "Pod Identities Agent not supported on Auto Mode".

Issue 2: "AWS IAM Roles for Service Accounts (IRSA)". The controller deployment eventually fails with the errors "init config failed: vpcId is not specified: EC2MetadataError: failed to make EC2Metadata request" It seems the pods can't reach the IMDS metadata service. Notice httpPutResponseHopLimit=1.

httpPutResponseHopLimit can't be modified in EKS Auto Mode. Perhaps write in the docs "IRSA not supported on Auto Mode".

If both of the above issues are failing in Auto Mode, then a more global warning could be placed at the top of the page. "Gateway API Controller can't be installed in EKS Auto Mode". Or, I am misunderstanding something! :-) Probably yes. Most likely yes. Let me know. If possible, open 'upstream' issues to implement fixes in other repositories about these issues.

Thanks.

sdarwin avatar Mar 24 '25 23:03 sdarwin

Now getting a report that Pod Identities Agent is already baked into Auto Mode.

In that case Issue 1 ought to work, hopefully. Just be adjusted to have slightly different Auto Mode steps.

Although I will report that I followed the Pod Identities Agent steps in the documentation and the pods failed to launch, I think with EC2Metadata errors. Tomorrow I will launch a new cluster and try again.

Edit: Would it be the case that IRSA and Pod Identity are alternative forms of "permission" but they would both be equally susceptible to an IMDS httpPutResponseHopLimit restriction? So even if Pod Identity is included in the AMI it could still hit the metadata errors?

sdarwin avatar Mar 25 '25 00:03 sdarwin

Hi, @sdarwin

You may already be aware, but as mentioned in this link, accessing EC2 instance metadata from within a container requires setting the hop limit to 2. However, with EKS Auto Mode, the EC2 instances are managed by AWS, so it's not possible to change the hop limit.

As a result, any values that would normally be retrieved via metadata must be provided manually—either via Helm values or as environment variables. Specifically, you'll need to set values like below.

awsRegion: us-east-1
awsAccountId: xxxxxxxxxxxx
clusterVpcId: vpc-xxxxxxxxx
clusterName: sample-eks-cluster

The IAM role assigned via Pod Identity should still work as expected.

Apologies in advance if this turns out to be off the mark, but I hope it helps point in the right direction! 

u-kai avatar Mar 30 '25 10:03 u-kai

Hi @u-kai, Ok. That makes sense even though it's a bit less easy-to-use than automatically discovering variables from metadata. In the original post above I suggested "Please adjust the installation docs". You are saying "values that would normally be retrieved via metadata must be provided manually". That could be explained.

sdarwin avatar Mar 30 '25 12:03 sdarwin