Cluster Shield Troubleshooting

CNI on EKS

When using a custom CNI on EKS, the API server will not be able to reach the webhook endpoint. This happens because the control plane cannot be configured to run on a custom CNI on EKS. In order to resolve this, when installing Cluster Shield via Helm, apply the following configurations:

clusterShield:
  hostNetwork: true
  features:
    audit:
      http_port: 5000 # Required to avoid conflicts
    admission_control:
      http_port: 6000 # Required to avoid conflicts

Update the inbound rule in the EKS worker nodes security group, allowing TCP communication on port 5000 and 6000 from the EKS cluster security group.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.