Why won't my pods connect to other pods in Amazon EKS?
Last updated: 2021-08-30
My pods won't connect to other pods in Amazon Elastic Kubernetes Service (Amazon EKS).
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
If your pods can't connect with other pods, you can receive the following errors (depending on your application).
If the security group from a worker node doesn't allow internode communication:
curl: (7) Failed to connect to XXX.XXX.XX.XXX port XX: Connection timed out
If the DNS isn't working:
Error: RequestError: send request failed caused by: Post dial tcp: i/o timeout
If the DNS is working but there's still a pod connectivity issue:
Error: RequestError: send request failed caused by: Post dial tcp 220.127.116.11.5:443: i/o timeout
If the pod wasn't exposed through a service and you try to resolve the DNS for the pod:
kubectl exec -it busybox -- nslookup nginx Server: 10.100.0.10 Address: 10.100.0.10:53 ** server can't find nginx.default.svc.cluster.local: NXDOMAIN *** Can't find nginx.svc.cluster.local: No answer *** Can't find nginx.cluster.local: No answer *** Can't find nginx.ap-southeast-2.compute.internal: No answer *** Can't find nginx.default.svc.cluster.local: No answer *** Can't find nginx.svc.cluster.local: No answer *** Can't find nginx.cluster.local: No answer *** Can't find nginx.ap-southeast-2.compute.internal: No answer
To resolve these errors, check if your environment is set up correctly by confirming the following:
- You meet the networking requirements for Kubernetes (excluding any intentional NetworkPolicy)
- Your pods are correctly using DNS to communicate with each other
- Your security groups meet Amazon EKS guidelines
- Your security groups for pods allow pods to communicate with each other
- The network access control list (ACL) doesn't deny the connection
- Your subnet has a local route for communicating within your Amazon Virtual Private Cloud (Amazon VPC)
- There are enough IP addresses available in the subnet
- Your pods are scheduled and in the RUNNING state
- You have the recommended version of the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes
You meet the networking requirements for Kubernetes (excluding any intentional NetworkPolicy)
Confirm that you meet the Kubernetes networking requirements (from the Kubernetes website).
By default, pods are not isolated. Pods accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them.
Note: For NetworkPolicy configurations, see Installing Calico on Amazon EKS.
Your pods are correctly using DNS to communicate with each other
You must expose your pods through a service first. If you don't, then your pods can't get DNS names and can be reached only by their specific IP addresses.
$ kubectl run nginx --image=nginx --replicas=5 -n web deployment.apps/nginx created $ kubectl expose deployment nginx --port=80 -n web service/nginx exposed $ kubectl get svc -n web NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx ClusterIP 10.100.94.70 <none> 80/TCP 2s # kubectl exec -ti busybox -n web -- nslookup nginx Server: 10.100.0.10 Address 1: 10.100.0.10 ip-10-100-0-10.ap-southeast-2.compute.internal Name: nginx Address 1: 10.100.94.70 ip-10-100-94-70.ap-southeast-2.compute.internal
The output shows that the ClusterIP 10.100.94.70 is returned when resolving the DNS name for the nginx service.
If your pods still fail to resolve DNS, see How do I troubleshoot DNS failures with Amazon EKS?
Your security groups meet Amazon EKS guidelines
Create inbound rules to restrict what traffic is allowed on the security group of your worker node. Create the inbound rules for any protocol or any ports that your worker nodes use for internode communication.
It's a best practice to enable all traffic for the security group of your worker node. You don't need to change security group rules every time a new pod with a new port is created.
For more information, see Amazon EKS security group considerations.
Your security groups for pods allow pods to communicate with each other
If you use security groups for pods or CNI custom networking, then you can allocate any security groups to pods. In this scenario, confirm that the security groups allow communication between pods correctly.
The network ACL doesn't deny the connection
1. Confirm that traffic between your Amazon EKS cluster and VPC CIDR flows freely on your network ACL.
2. (Optional) To add an additional layer of security to your VPC, consider setting up network ACLs with rules similar to your security groups.
Your subnet has a local route for communicating within your VPC
Confirm that your subnets have the default route for communication within the VPC.
There are enough IP addresses available in the subnet
Confirm that your specified subnets have enough available IP addresses for the cross-account elastic network interfaces and your pods.
For more information, see VPC IP addressing.
To check for available IP addresses, run the following AWS CLI command:
$ aws ec2 describe-subnets --subnet-id YOUR-SUBNET-ID --query 'Subnets.AvailableIpAddressCount'
Your pods are scheduled and in the RUNNING state
Confirm that your pods are scheduled and in the RUNNING state.
To troubleshoot your pod status, see How can I troubleshoot pod status in Amazon EKS?
You have the recommended version of the Amazon VPC CNI plugin for Kubernetes
If you have the recommended version, but are experiencing issues with it, then see How do I resolve kubelet or CNI plugin issues for Amazon EKS?