# 코드 다운로드, 작업 디렉터리 이동
$ cd aews/2w
# 이번에 2w를 새로 다운로드 (기존 폴더에 2w만 받아짐)
aews git:(main*) $ git pull origin main
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 7 (delta 0), reused 7 (delta 0), pack-reused 0 (from 0)
Unpacking objects: 100% (7/7), 3.51 KiB | 359.00 KiB/s, done.
From https://github.com/gasida/aews
* branch main -> FETCH_HEAD
c95a0bb..1ad820c main -> origin/main
Updating c95a0bb..1ad820c
Fast-forward
2w/eks.tf | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2w/outputs.tf | 4 +++
2w/var.tf | 72 ++++++++++++++++++++++++++++++++++++++
2w/vpc.tf | 50 +++++++++++++++++++++++++++
4 files changed, 295 insertions(+)
create mode 100644 2w/eks.tf
create mode 100644 2w/outputs.tf
create mode 100644 2w/var.tf
create mode 100644 2w/vpc.tf
# 변수 지정
aews git:(main*) $ export TF_VAR_KeyName=test-key
aews git:(main*) $ export TF_VAR_ssh_access_cidr=$(curl -s ipinfo.io/ip)/32
aews git:(main*) $ echo $TF_VAR_KeyName $TF_VAR_ssh_access_cidr
test-key 1x.x.x.x/32
# 배포 : 12분 정도 소요
:2w git:(main*) $ terraform init
Initializing the backend...
Initializing modules...
Downloading registry.terraform.io/terraform-aws-modules/eks/aws 21.15.1 for eks...
- eks in .terraform/modules/eks
- eks.eks_managed_node_group in .terraform/modules/eks/modules/eks-managed-node-group
- eks.eks_managed_node_group.user_data in .terraform/modules/eks/modules/_user_data
- eks.fargate_profile in .terraform/modules/eks/modules/fargate-profile
Downloading registry.terraform.io/terraform-aws-modules/kms/aws 4.0.0 for eks.kms...
- eks.kms in .terraform/modules/eks.kms
- eks.self_managed_node_group in .terraform/modules/eks/modules/self-managed-node-group
- eks.self_managed_node_group.user_data in .terraform/modules/eks/modules/_user_data
Downloading registry.terraform.io/terraform-aws-modules/vpc/aws 6.6.0 for vpc...
- vpc in .terraform/modules/vpc
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 6.0.0, >= 6.28.0"...
- Finding hashicorp/tls versions matching ">= 4.0.0"...
- Finding hashicorp/time versions matching ">= 0.9.0"...
- Finding hashicorp/cloudinit versions matching ">= 2.0.0"...
- Finding hashicorp/null versions matching ">= 3.0.0"...
- Installing hashicorp/aws v6.37.0...
- Installed hashicorp/aws v6.37.0 (signed by HashiCorp)
- Installing hashicorp/tls v4.2.1...
- Installed hashicorp/tls v4.2.1 (signed by HashiCorp)
- Installing hashicorp/time v0.13.1...
- Installed hashicorp/time v0.13.1 (signed by HashiCorp)
- Installing hashicorp/cloudinit v2.3.7...
- Installed hashicorp/cloudinit v2.3.7 (signed by HashiCorp)
- Installing hashicorp/null v3.2.4...
- Installed hashicorp/null v3.2.4 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
2w git:(main*) $ nohup sh -c "terraform apply -auto-approve" > create.log 2>&1 &
[1] 13492
2w git:(main*) $ tail -f create.log
module.eks.aws_eks_addon.this["coredns"]: Still creating... [00m10s elapsed]
module.eks.aws_eks_addon.this["coredns"]: Creation complete after 15s [id=myeks:coredns]
module.eks.aws_eks_addon.this["kube-proxy"]: Still creating... [00m20s elapsed]
module.eks.aws_eks_addon.this["kube-proxy"]: Creation complete after 25s [id=myeks:kube-proxy]
Apply complete! Resources: 59 added, 0 changed, 0 destroyed.
Outputs:
configure_kubectl = "aws eks --region ap-northeast-2 update-kubeconfig --name myeks"
# 자격증명 설정
2w git:(main*) $ terraform output -raw configure_kubectl
aws eks --region ap-northeast-2 update-kubeconfig --name myeks%
2w git:(main*) $ aws eks --region ap-northeast-2 update-kubeconfig --name myeks
Added new context arn:aws:eks:ap-northeast-2:123123123:cluster/myeks to /Users/.kube/config
2w git:(main*) $ kubectl config rename-context $(cat ~/.kube/config | grep current-context | awk '{print $2}') myeks
Context "arn:aws:eks:ap-northeast-2:123123123:cluster/myeks" renamed to "myeks".
배포 후 기본 정보 확인
EKS 관리 콘솔 확인
Overview 개요 : API server endpoint, Open ID Connect provider URL기본 정보(oidc)
Access : IAM access entries (설치 시 사용한 자격증명 username 확인)
EKS 기본 정보 확인
# 노드 라벨 확인
2w git:(main*) $ kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
ip-192-168-1-210.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=t3.medium,beta.kubernetes.io/os=linux,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup-image=ami-0041be04b53631868,eks.amazonaws.com/nodegroup=myeks-1nd-node-group,eks.amazonaws.com/sourceLaunchTemplateId=lt-08e395f933cfc84e6,eks.amazonaws.com/sourceLaunchTemplateVersion=1,failure-domain.beta.kubernetes.io/region=ap-northeast-2,failure-domain.beta.kubernetes.io/zone=ap-northeast-2a,k8s.io/cloud-provider-aws=5553ae84a0d29114870f67bbabd07d44,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-192-168-1-210.ap-northeast-2.compute.internal,kubernetes.io/os=linux,node.kubernetes.io/instance-type=t3.medium,tier=primary,topology.k8s.aws/zone-id=apne2-az1,topology.kubernetes.io/region=ap-northeast-2,topology.kubernetes.io/zone=ap-northeast-2a
ip-192-168-11-16.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=t3.medium,beta.kubernetes.io/os=linux,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup-image=ami-0041be04b53631868,eks.amazonaws.com/nodegroup=myeks-1nd-node-group,eks.amazonaws.com/sourceLaunchTemplateId=lt-08e395f933cfc84e6,eks.amazonaws.com/sourceLaunchTemplateVersion=1,failure-domain.beta.kubernetes.io/region=ap-northeast-2,failure-domain.beta.kubernetes.io/zone=ap-northeast-2c,k8s.io/cloud-provider-aws=5553ae84a0d29114870f67bbabd07d44,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-192-168-11-16.ap-northeast-2.compute.internal,kubernetes.io/os=linux,node.kubernetes.io/instance-type=t3.medium,tier=primary,topology.k8s.aws/zone-id=apne2-az3,topology.kubernetes.io/region=ap-northeast-2,topology.kubernetes.io/zone=ap-northeast-2c
ip-192-168-6-183.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=t3.medium,beta.kubernetes.io/os=linux,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup-image=ami-0041be04b53631868,eks.amazonaws.com/nodegroup=myeks-1nd-node-group,eks.amazonaws.com/sourceLaunchTemplateId=lt-08e395f933cfc84e6,eks.amazonaws.com/sourceLaunchTemplateVersion=1,failure-domain.beta.kubernetes.io/region=ap-northeast-2,failure-domain.beta.kubernetes.io/zone=ap-northeast-2b,k8s.io/cloud-provider-aws=5553ae84a0d29114870f67bbabd07d44,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-192-168-6-183.ap-northeast-2.compute.internal,kubernetes.io/os=linux,node.kubernetes.io/instance-type=t3.medium,tier=primary,topology.k8s.aws/zone-id=apne2-az2,topology.kubernetes.io/region=ap-northeast-2,topology.kubernetes.io/zone=ap-northeast-2b
[13:37:39] mzc01-voieul:2w git:(main*) $ kubectl get node -l tier=primary
NAME STATUS ROLES AGE VERSION
ip-192-168-1-210.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
ip-192-168-11-16.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
ip-192-168-6-183.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
2w git:(main*) $ kubectl get node -l tier=primary
NAME STATUS ROLES AGE VERSION
ip-192-168-1-210.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
ip-192-168-11-16.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
ip-192-168-6-183.ap-northeast-2.compute.internal Ready <none> 39m v1.34.4-eks-f69f56f
# 파드 정보 확인
2w git:(main*) $ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system aws-node-6922w 2/2 Running 0 41m
kube-system aws-node-6ttt6 2/2 Running 0 41m
kube-system aws-node-r77xb 2/2 Running 0 41m
kube-system coredns-d487b6fcb-dkvpq 1/1 Running 0 40m
kube-system coredns-d487b6fcb-ftjqs 1/1 Running 0 40m
kube-system kube-proxy-54b6l 1/1 Running 0 40m
kube-system kube-proxy-7kgjr 1/1 Running 0 40m
kube-system kube-proxy-w2gzn 1/1 Running 0 40m
2w git:(main*) $ kubectl get pdb -n kube-system
NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE
coredns N/A 1 1 40m
# 관리형 노드 그룹 확인
2w git:(main*) $ aws eks describe-nodegroup --cluster-name myeks --nodegroup-name myeks-1nd-node-group | jq
{
"nodegroup": {
"nodegroupName": "myeks-1nd-node-group",
"nodegroupArn": "arn:aws:eks:ap-northeast-2:143649248460:nodegroup/myeks/myeks-1nd-node-group/dcce8efe-6362-fde5-2cf2-4c2c4ee74afa",
"clusterName": "myeks",
"version": "1.34",
"releaseVersion": "1.34.4-20260317",
"createdAt": "2026-03-24T12:56:41.571000+09:00",
"modifiedAt": "2026-03-24T13:38:04.663000+09:00",
"status": "ACTIVE",
"capacityType": "ON_DEMAND",
"scalingConfig": {
"minSize": 2,
"maxSize": 5,
"desiredSize": 3
},
"instanceTypes": [
"t3.medium"
],
"subnets": [
"subnet-0ff9ed04cb8b082ec",
"subnet-0d7752b137e08028c",
"subnet-0f16f6746d3a7c4be"
],
"amiType": "AL2023_x86_64_STANDARD",
"nodeRole": "arn:aws:iam::143649248460:role/myeks-1nd-node-group-eks-node-group-20260324034658874100000006",
"labels": {
"tier": "primary"
},
"resources": {
"autoScalingGroups": [
{
"name": "eks-myeks-1nd-node-group-dcce8efe-6362-fde5-2cf2-4c2c4ee74afa"
}
]
},
"health": {
"issues": []
},
"updateConfig": {
"maxUnavailablePercentage": 33
},
"launchTemplate": {
"name": "primary-20260324035632468600000009",
"version": "1",
"id": "lt-08e395f933cfc84e6"
},
"tags": {
"Terraform": "true",
"Environment": "cloudneta-lab",
"Name": "myeks-1nd-node-group"
}
}
}
# eks addon 확인
1. AWS VPC CNI 소개
K8S CNI : Container Network Interface 는 k8s 네트워크 환경을 구성해준다 - 링크, 다양한 플러그인이 존재 - 링크
AWS VPC CNI : 파드 IP 할당, 파드의 IP 네트워크 대역과 노드(워커)의 IP 대역이 같아서 직접 통신이 가능 - Docs , Github , Proposal
Amazon Virtual Private Cloud(VPC) CNI add-on
AWS에서 제공하는 VPC CNI는 EKS 클러스터의 기본 네트워킹 추가 기능 add-on 입니다. VPC CNI 추가 기능은 EKS 클러스터를 프로비저닝할 때 기본적으로 설치됩니다. VPC CNI는 Kubernetes 작업자 노드에서 실행됩니다. VPC CNI 추가 기능은 CNI 바이너리와 IP 주소 관리(ipamd) 플러그인으로 구성됩니다. CNI는 VPC 네트워크의 IP 주소를 포드에 할당합니다. ipamd는 각 Kubernetes 노드에 대한 AWS 탄력적 네트워킹 인터페이스(ENIs)를 관리하고 IPs의 웜 풀을 warm pool 유지합니다. VPC CNI는 빠른 포드 시작 시간을 위한 ENIs 및 IP 주소의 사전 할당pre-allocation 을 위한 구성 옵션을 제공합니다. 권장 플러그인 관리 모범 사례는 Amazon VPC CNI를 참조하세요.
VPC 와 통합 : VPC Flow logs , VPC 라우팅 정책, 보안 그룹(Security group) 을 사용 가능함
Amazon EKS에서는 클러스터를 생성할 때 두 개 이상의 가용 영역에 서브넷을 지정하는 것이 좋습니다. Amazon VPC CNI는 노드 서브넷의 포드에 IP 주소를 할당합니다. 서브넷에서 사용 가능한 IP 주소를 확인하는 것이 좋습니다. EKS 클러스터를 배포하기 전에 VPC 및 서브넷 권장 사항을 고려하세요.
보조 IP 모드(기본값) secondary IP mode : Amazon VPC CNI는 노드의 기본 ENIs에 연결된 서브넷에서 ENI 및 보조 IP 주소의 웜 풀을 할당합니다. VPC CNI의이 모드를 보조 IP 모드라고 합니다. IP 주소 수와 따라서 **포드 수(Pod 밀도)**는 인스턴스 유형에 의해 정의된 ENIs 수와 ENI당 IP 주소(한도)로 정의됩니다. 보조 모드는 기본값이며 인스턴스 유형이 작은 소규모 클러스터에 적합합니다.
접두사 모드 (포드 밀도 필요 시) prefix mode : 포드 밀도 문제가 발생하는 경우 ENIs 접두사 모드를 사용하는 것이 좋습니다.
파드 보안 그룹 security groups for Pods : Amazon VPC CNI는 기본적으로 AWS VPC와 통합되며 사용자는 Kubernetes 클러스터 구축을 위한 기존 AWS VPC 네트워킹 및 보안 모범 사례를 적용할 수 있습니다. 여기에는 네트워크 트래픽 격리를 위해 VPC 흐름 로그, VPC 라우팅 정책 및 보안 그룹을 사용하는 기능이 포함됩니다. 기본적으로 Amazon VPC CNI는 노드의 기본 ENI와 연결된 보안 그룹을 포드에 적용합니다. 포드에 다른 네트워크 규칙을 할당하려는 경우 포드에 대한 보안 그룹을 활성화하는 것이 좋습니다.
사용자 지정 네트워킹(보조 CIDR 할당 사용) custom networking : 기본적으로 VPC CNI는 노드의 기본 ENI에 할당된 서브넷의 포드에 IP 주소를 할당합니다. 수천 개의 워크로드가 있는 대규모 클러스터를 실행할 때 IPv4 주소가 부족한 것이 일반적입니다. AWS VPC를 사용하면 IPv4 CIDRs 블록의 고갈을 해결할 보조 CIDR을 할당하여 사용 가능한 IPs를 확장할 수 있습니다. AWS VPC CNI를 사용하면 포드에 대해 다른 서브넷 CIDR 범위를 사용할 수 있습니다. VPC CNI의이 기능을 사용자 지정 네트워킹이라고 합니다. 사용자 지정 네트워킹을 사용하여 EKS에서 100.64.0.0/10 및 198.19.0.0/16 CIDRs(CG-NAT)을 사용하는 것이 좋습니다. 이렇게 하면 포드가 더 이상 VPC의 RFC1918 IP 주소를 사용하지 않는 환경을 효과적으로 생성할 수 있습니다.
보조 IP 모드 Secondary IP mode 는 VPC CNI의 기본 모드입니다. 이 가이드에서는 보조 IP 모드가 활성화된 경우 VPC CNI 동작에 대한 일반적인 개요를 제공합니다. ipamd(IP 주소 할당)의 기능은 , Linux용 접두사 모드및 포드당 보안 그룹와 같은 VPC CNI의 구성 설정에 따라 달라질 수 있습니다사용자 지정 네트워킹.
Amazon VPC CNI는 작업자 노드에 aws-node라는 Kubernetes Daemonset으로 배포됩니다. 작업자 노드가 프로비저닝되면 기본 ENI라고 하는 기본 ENI가 노드에 연결됩니다. CNI는 노드의 기본 ENIs에 연결된 서브넷에서 ENI 및 보조 IP 주소의 웜 풀을 할당합니다. 기본적으로 ipamd는 노드에 추가 ENI를 할당하려고 시도합니다. IPAMD는 단일 포드가 예약되고 기본 ENI의 보조 IP 주소가 할당될 때 추가 ENI를 할당합니다. 이 "웜" ENI를 사용하면 더 빠른 포드 네트워킹이 가능합니다. 보조 IP 주소 풀이 부족해지면 CNI는 다른 ENI를 추가하여 더 할당합니다.
풀의 ENIs 및 IP 주소 수는 WARM_ENI_TARGET, WARM_IP_TARGET, MINIMUM_IP_TARGET이라는 환경 변수를 통해 구성됩니다. aws-node Daemonset은 충분한 수의 ENIs가 연결되어 있는지 주기적으로 확인합니다. WARM_ENI_TARGET 또는 WARM_IP_TARGET 및 MINIMUM_IP_TARGET 조건이 모두 충족되면 충분한 수의 ENIs가 연결됩니다. ENIs가 충분하지 않으면 CNI는 MAX_ENI 한도에 도달할 때까지 EC2에 API를 호출하여 더 많이 연결합니다.
WARM_ENI_TARGET : 미리 붙여둘 ENI 개수
예) WARM_ENI_TARGET = 1 ⇒ 항상 사용하지 않는 ENI 1개 유지
정의: 현재 사용 중인 ENI 외에 추가로 유지할 빈(Available) ENI의 개수입니다.
작동: 예를 들어 이 값이 1이면, 현재 ENI가 꽉 차지 않았더라도 VPC CNI는 나중에 올 Pod들을 위해 미리 ENI 하나를 더 할당받아 둡니다.
특징: ENI를 통째로 가져오므로 IP 확보 속도가 가장 빠르지만, IP 낭비가 심할 수 있습니다.
WARM_IP_TARGET : 남겨둘 여유 IP 개수
예) WARM_IP_TARGET = 10 ⇒ 항상 10개 IP 여유 유지
정의: 현재 사용 중인 IP 외에 추가로 유지할 여유 IP 주소의 개수입니다.
작동: 이 값이 5라면, Pod가 10개 떠 있을 때 노드는 항상 15개의 IP를 확보하려고 시도합니다.
특징: WARM_ENI_TARGET보다 세밀하게(Fine-grained) IP를 관리할 수 있어 IP 자원이 부족한 VPC에서 선호됩니다.
MINIMUM_IP_TARGET : 최소 확보해야 할 IP 총량
예) MINIMUM_IP_TARGET = 30 ⇒ 노드 시작 시 최소 30개 IP 확보
정의: 노드가 가동될 때 최소한으로 확보하고 있어야 하는 전체 IP의 개수입니다.
작동: 이 값이 20이면, Pod가 하나도 없더라도 일단 IP 20개를 확보해 둡니다.
특징: 초기 대규모 트래픽 유입으로 Pod가 급격히 늘어날 때(Scale-out) IP 할당 지연을 방지합니다. 보통 WARM_IP_TARGET과 함께 사용됩니다.
1. 파드 통신을 위한 IPtables, 라우팅 설정 과정 : kubelet 에서 CNI 바이너리에 CNI 추가/삭제 요청을 통해 처리. 이때 L-IPAM 조회 확인
2. 파드 네트워크 환경 구성(파드 네트워크 네임스페이스) : kubelet → vpc cni → L-IPAM → kernel API ⇒ kubelet → New Pod
Kubelet이 포드 추가 요청을 수신하면 CNI 바이너리가 사용 가능한 IP 주소에 대해 ipamd를 쿼리한 다음 ipamd가 포드에 제공합니다. CNI 바이너리가 호스트 및 포드 네트워크를 연결합니다.
노드에 배포된 포드는 기본적으로 기본 ENI와 동일한 보안 그룹에 할당됩니다. 또는 다른 보안 그룹으로 포드를 구성할 수 있습니다.
IP 주소 풀이 고갈되면 플러그 인은 다른 탄력적 네트워크 인터페이스를 인스턴스에 자동으로 연결하고 이 인터페이스에 다른 보조 IP 주소 집합을 할당합니다. 이 프로세스는 노드가 탄력적 네트워크 인터페이스를 추가 지원할 수 없을 때까지 계속됩니다.
3. 포드가 삭제되면 VPC CNI는 포드의 IP 주소를 30초 cool down cache 에 배치합니다.
cool down cache IPs는 새 포드에 할당되지 않습니다.
cooling-off 쿨링 오프 기간이 끝나면 VPC CNI는 포드 IP를 웜 풀로 다시 이동합니다.
쿨링 오프 기간은 포드 IP 주소가 조기에 재활용되는 것을 방지하고 모든 클러스터 노드에서 kube-proxy가 iptables 규칙 업데이트를 완료하도록 허용합니다.
IPs 또는 ENIs 수가 웜 풀 설정 수를 초과하면 ipamd 플러그인은 IPs 및 ENIs에 반환합니다.
2. 노드에서 기본 네트워크 정보 확인
노드 접속 및 IP 변수 지정
# EC2 ENI IP 확인
2w git:(main*) $ aws ec2 describe-instances --query "Reservations[*].Instances[*].{PublicIPAdd:PublicIpAddress,PrivateIPAdd:PrivateIpAddress,InstanceName:Tags[?Key=='Name']|[0].Value,Status:State.Name}" --filters Name=instance-state-name,Values=running --output table
# 아래 IP는 각자 실습 환경에 따라 사용
2w git:(main*) $ N1=13.125.90.155
N2=3.36.10.59
N3=52.79.83.80
# 워커 노드 SSH 접속
2w git:(main*) $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh -o StrictHostKeyChecking=no ec2-user@$i hostname; echo; done
>> node 13.125.90.155 <<
Warning: Permanently added '13.125.90.155' (ED25519) to the list of known hosts.
ip-192-168-3-7.ap-northeast-2.compute.internal
>> node 3.36.10.59 <<
Warning: Permanently added '3.36.10.59' (ED25519) to the list of known hosts.
ip-192-168-5-36.ap-northeast-2.compute.internal
>> node 52.79.83.80 <<
Warning: Permanently added '52.79.83.80' (ED25519) to the list of known hosts.
ip-192-168-11-144.ap-northeast-2.compute.internal
# [터미널1~3] 노드 모니터링
ssh ec2-user@$N1
watch -d "ip link | egrep 'ens|eni' ;echo;echo "[ROUTE TABLE]"; route -n | grep eni"
ssh ec2-user@$N2
watch -d "ip link | egrep 'ens|eni' ;echo;echo "[ROUTE TABLE]"; route -n | grep eni"
ssh ec2-user@$N3
watch -d "ip link | egrep 'ens|eni' ;echo;echo "[ROUTE TABLE]"; route -n | grep eni"
# Network-Multitool 디플로이먼트 생성
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: netshoot-pod
spec:
replicas: 3
selector:
matchLabels:
app: netshoot-pod
template:
metadata:
labels:
app: netshoot-pod
spec:
containers:
- name: netshoot-pod
image: praqma/network-multitool
ports:
- containerPort: 80
- containerPort: 443
env:
- name: HTTP_PORT
value: "80"
- name: HTTPS_PORT
value: "443"
terminationGracePeriodSeconds: 0
EOF
# 파드 이름 변수 지정
2w git:(main*) $ PODNAME1=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[0].metadata.name}')
2w git:(main*) $ PODNAME2=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[1].metadata.name}')
2w git:(main*) $ PODNAME3=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[2].metadata.name}')
2w git:(main*) $ echo $PODNAME1 $PODNAME2 $PODNAME3
netshoot-pod-64fbf7fb5-9scs4 netshoot-pod-64fbf7fb5-kz8ff netshoot-pod-64fbf7fb5-zgqsp
# 파드 확인
2w git:(main*) $ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
netshoot-pod-64fbf7fb5-9scs4 1/1 Running 0 2m11s 192.168.1.234 ip-192-168-3-7.ap-northeast-2.compute.internal <none> <none>
netshoot-pod-64fbf7fb5-kz8ff 1/1 Running 0 2m11s 192.168.10.106 ip-192-168-11-144.ap-northeast-2.compute.internal <none> <none>
netshoot-pod-64fbf7fb5-zgqsp 1/1 Running 0 2m11s 192.168.4.200 ip-192-168-5-36.ap-northeast-2.compute.internal <none> <none>
2w git:(main*) $ kubectl get pod -o=custom-columns=NAME:.metadata.name,IP:.status.podIP
NAME IP
netshoot-pod-64fbf7fb5-9scs4 192.168.1.234
netshoot-pod-64fbf7fb5-kz8ff 192.168.10.106
netshoot-pod-64fbf7fb5-zgqsp 192.168.4.200
s-aews $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo ip -c route; echo; done
>> node 13.125.90.155 <<
default via 192.168.0.1 dev ens5 proto dhcp src 192.168.3.7 metric 512
192.168.0.0/22 dev ens5 proto kernel scope link src 192.168.3.7 metric 512
192.168.0.1 dev ens5 proto dhcp scope link src 192.168.3.7 metric 512
192.168.0.2 dev ens5 proto dhcp scope link src 192.168.3.7 metric 512
192.168.1.234 dev eni728a59de5d0 scope link
>> node 3.36.10.59 <<
default via 192.168.4.1 dev ens5 proto dhcp src 192.168.5.36 metric 512
192.168.0.2 via 192.168.4.1 dev ens5 proto dhcp src 192.168.5.36 metric 512
192.168.4.0/22 dev ens5 proto kernel scope link src 192.168.5.36 metric 512
192.168.4.1 dev ens5 proto dhcp scope link src 192.168.5.36 metric 512
192.168.4.200 dev eni16b2ba08303 scope link
192.168.5.76 dev eni481fe145bd1 scope link
>> node 52.79.83.80 <<
default via 192.168.8.1 dev ens5 proto dhcp src 192.168.11.144 metric 512
192.168.0.2 via 192.168.8.1 dev ens5 proto dhcp src 192.168.11.144 metric 512
192.168.8.0/22 dev ens5 proto kernel scope link src 192.168.11.144 metric 512
192.168.8.1 dev ens5 proto dhcp scope link src 192.168.11.144 metric 512
192.168.10.106 dev eni98bb2c9cd6c scope link
192.168.10.183 dev eni6422ac782e4 scope link
파드가 생성되면, 워커 노드에 eniY@ifN 가추가되고 라우팅 테이블에도 정보가 추가된다.
테스트용 파드 eniY 정보 확인 - 워커 노드 EC2
# 노드3에서 네트워크 인터페이스 정보 확인
ssh ec2-user@$N2
----------------
[ec2-user@ip-192-168-5-36 ~]$ ip -br -c addr show
lo UNKNOWN 127.0.0.1/8 ::1/128
ens5 UP 192.168.5.36/22 metric 512 fe80::409:ffff:fe29:eb23/64
eni481fe145bd1@if3 UP fe80::80b9:cff:fe9d:bd66/64
ens6 UP 192.168.4.106/22 fe80::459:b6ff:fefa:9319/64
eni16b2ba08303@if3 UP fe80::e44d:65ff:feef:2c50/64
[ec2-user@ip-192-168-5-36 ~]$ ip -c link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 06:09:ff:29:eb:23 brd ff:ff:ff:ff:ff:ff
altname enp0s5
3: eni481fe145bd1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default
link/ether 82:b9:0c:9d:bd:66 brd ff:ff:ff:ff:ff:ff link-netns cni-b50f9442-d17b-8951-95c3-46862cb4df5d
4: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 06:59:b6:fa:93:19 brd ff:ff:ff:ff:ff:ff
altname enp0s6
5: eni16b2ba08303@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default
link/ether e6:4d:65:ef:2c:50 brd ff:ff:ff:ff:ff:ff link-netns cni-5eddec93-7408-ac2f-7035-0f754ef40068
[ec2-user@ip-192-168-5-36 ~]$ ip -c addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:09:ff:29:eb:23 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 192.168.5.36/22 metric 512 brd 192.168.7.255 scope global dynamic ens5
valid_lft 2647sec preferred_lft 2647sec
inet6 fe80::409:ffff:fe29:eb23/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eni481fe145bd1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default
link/ether 82:b9:0c:9d:bd:66 brd ff:ff:ff:ff:ff:ff link-netns cni-b50f9442-d17b-8951-95c3-46862cb4df5d
inet6 fe80::80b9:cff:fe9d:bd66/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:59:b6:fa:93:19 brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet 192.168.4.106/22 brd 192.168.7.255 scope global ens6
valid_lft forever preferred_lft forever
inet6 fe80::459:b6ff:fefa:9319/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: eni16b2ba08303@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default
link/ether e6:4d:65:ef:2c:50 brd ff:ff:ff:ff:ff:ff link-netns cni-5eddec93-7408-ac2f-7035-0f754ef40068
inet6 fe80::e44d:65ff:feef:2c50/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
[ec2-user@ip-192-168-5-36 ~]$ ip route
default via 192.168.4.1 dev ens5 proto dhcp src 192.168.5.36 metric 512
192.168.0.2 via 192.168.4.1 dev ens5 proto dhcp src 192.168.5.36 metric 512
192.168.4.0/22 dev ens5 proto kernel scope link src 192.168.5.36 metric 512
192.168.4.1 dev ens5 proto dhcp scope link src 192.168.5.36 metric 512
192.168.4.200 dev eni16b2ba08303 scope link
192.168.5.76 dev eni481fe145bd1 scope link
exit
테스트용 파드 접속(exec) 후 확인
# 테스트용 파드 접속(exec) 후 Shell 실행
2w git:(main*) $ kubectl exec -it $PODNAME1 -- bash
bash-5.1#
# 아래부터는 pod-1 Shell 에서 실행 : 네트워크 정보 확인
----------------------------
bash-5.1# ip -c addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default
link/ether f2:10:fc:98:f4:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.234/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::f010:fcff:fe98:f4d4/64 scope link
valid_lft forever preferred_lft forever
bash-5.1# ip -c route
default via 169.254.1.1 dev eth0
169.254.1.1 dev eth0 scope link
bash-5.1# cat /etc/resolv.conf
search default.svc.cluster.local svc.cluster.local cluster.local ap-northeast-2.compute.internal
nameserver 10.100.0.10
options ndots:5
exit
----------------------------
ddd
# Node 및 Pod 정보 확인
2w git:(main*) $ k get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
ip-192-168-11-144.ap-northeast-2.compute.internal Ready <none> 110m v1.34.4-eks-f69f56f 192.168.11.144 52.79.83.80 Amazon Linux 2023.10.20260302 6.12.73-95.123.amzn2023.x86_64 containerd://2.2.1+unknown
ip-192-168-3-7.ap-northeast-2.compute.internal Ready <none> 110m v1.34.4-eks-f69f56f 192.168.3.7 13.125.90.155 Amazon Linux 2023.10.20260302 6.12.73-95.123.amzn2023.x86_64 containerd://2.2.1+unknown
ip-192-168-5-36.ap-northeast-2.compute.internal Ready <none> 110m v1.34.4-eks-f69f56f 192.168.5.36 3.36.10.59 Amazon Linux 2023.10.20260302 6.12.73-95.123.amzn2023.x86_64 containerd://2.2.1+unknown
2w git:(main*) $ k get pods -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
netshoot-pod-64fbf7fb5-9scs4 1/1 Running 0 14m 192.168.1.234 ip-192-168-3-7.ap-northeast-2.compute.internal <none> <none>
netshoot-pod-64fbf7fb5-kz8ff 1/1 Running 0 14m 192.168.10.106 ip-192-168-11-144.ap-northeast-2.compute.internal <none> <none>
netshoot-pod-64fbf7fb5-zgqsp 1/1 Running 0 14m 192.168.4.200 ip-192-168-5-36.ap-northeast-2.compute.internal <none> <none>
# 파드2 Shell 실행
kubectl exec -it $PODNAME2 -- ip -c addr
# 파드3 Shell 실행
kubectl exec -it $PODNAME3 -- ip -br -c addr
3. 노드 간 파드 통신
목표 : 파드간 통신 시 tcpdump 내용을 확인하고 통신 과정을 알아본다.
파드간 통신 흐름 : AWS VPC CNI 경우 별도의 오버레이(Overlay) 통신 기술 없이, VPC Native 하게 파드간 직접 통신이 가능하다.
# 파드 IP 변수 지정
2w git:(main*) $ PODIP1=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[0].status.podIP}')
PODIP2=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[1].status.podIP}')
PODIP3=$(kubectl get pod -l app=netshoot-pod -o jsonpath='{.items[2].status.podIP}')
echo $PODIP1 $PODIP2 $PODIP3
192.168.1.234 192.168.10.106 192.168.4.200
# 파드1 Shell 에서 파드2로 ping 테스트
2w git:(main*) $ kubectl exec -it $PODNAME1 -- ping -c 2 $PODIP2
PING 192.168.10.106 (192.168.10.106) 56(84) bytes of data.
64 bytes from 192.168.10.106: icmp_seq=1 ttl=125 time=1.59 ms
64 bytes from 192.168.10.106: icmp_seq=2 ttl=125 time=1.25 ms
--- 192.168.10.106 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.245/1.416/1.587/0.171 ms
2w git:(main*) $ kubectl exec -it $PODNAME1 -- curl -s http://$PODIP2
Praqma Network MultiTool (with NGINX) - netshoot-pod-64fbf7fb5-kz8ff - 192.168.10.106 - HTTP: 80 , HTTPS: 443
<br>
<hr>
<br>
<h1>05 Jan 2022 - Press-release: `Praqma/Network-Multitool` is now `wbitt/Network-Multitool`</h1>
<h2>Important note about name/org change:</h2>
<p>
Few years ago, I created this tool with Henrik Høegh, as `praqma/network-multitool`. Praqma was bought by another company, and now the "Praqma" brand is being dismantled. This means the network-multitool's git and docker repositories must go. Since, I was the one maintaining the docker image for all these years, it was decided by the current representatives of the company to hand it over to me so I can continue maintaining it. So, apart from a small change in the repository name, nothing has changed.<br>
</p>
<p>
The existing/old/previous container image `praqma/network-multitool` will continue to work and will remain available for **"some time"** - may be for a couple of months - not sure though.
</p>
<p>
- Kamran Azeem <kamranazeem@gmail.com> <a href=https://github.com/KamranAzeem>https://github.com/KamranAzeem</a>
</p>
<h2>Some important URLs:</h2>
<ul>
<li>The new official github repository for this tool is: <a href=https://github.com/wbitt/Network-MultiTool>https://github.com/wbitt/Network-MultiTool</a></li>
<li>The docker repository to pull this image is now: <a href=https://hub.docker.com/r/wbitt/network-multitool>https://hub.docker.com/r/wbitt/network-multitool</a></li>
</ul>
<br>
Or:
<br>
<pre>
<code>
docker pull wbitt/network-multitool
</code>
</pre>
<hr>
2w git:(main*) $ kubectl exec -it $PODNAME1 -- curl -sk https://$PODIP2
Praqma Network MultiTool (with NGINX) - netshoot-pod-64fbf7fb5-kz8ff - 192.168.10.106 - HTTP: 80 , HTTPS: 443
<br>
<hr>
<br>
<h1>05 Jan 2022 - Press-release: `Praqma/Network-Multitool` is now `wbitt/Network-Multitool`</h1>
<h2>Important note about name/org change:</h2>
<p>
Few years ago, I created this tool with Henrik Høegh, as `praqma/network-multitool`. Praqma was bought by another company, and now the "Praqma" brand is being dismantled. This means the network-multitool's git and docker repositories must go. Since, I was the one maintaining the docker image for all these years, it was decided by the current representatives of the company to hand it over to me so I can continue maintaining it. So, apart from a small change in the repository name, nothing has changed.<br>
</p>
<p>
The existing/old/previous container image `praqma/network-multitool` will continue to work and will remain available for **"some time"** - may be for a couple of months - not sure though.
</p>
<p>
- Kamran Azeem <kamranazeem@gmail.com> <a href=https://github.com/KamranAzeem>https://github.com/KamranAzeem</a>
</p>
<h2>Some important URLs:</h2>
<ul>
<li>The new official github repository for this tool is: <a href=https://github.com/wbitt/Network-MultiTool>https://github.com/wbitt/Network-MultiTool</a></li>
<li>The docker repository to pull this image is now: <a href=https://hub.docker.com/r/wbitt/network-multitool>https://hub.docker.com/r/wbitt/network-multitool</a></li>
</ul>
<br>
Or:
<br>
<pre>
<code>
docker pull wbitt/network-multitool
</code>
</pre>
<hr>
# 파드2 Shell 에서 파드3로 ping 테스트
2w git:(main*) $ kubectl exec -it $PODNAME2 -- ping -c 2 $PODIP3
PING 192.168.4.200 (192.168.4.200) 56(84) bytes of data.
64 bytes from 192.168.4.200: icmp_seq=1 ttl=125 time=1.62 ms
64 bytes from 192.168.4.200: icmp_seq=2 ttl=125 time=1.28 ms
--- 192.168.4.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.276/1.446/1.616/0.170 ms
# 파드3 Shell 에서 파드1로 ping 테스트
2w git:(main*) $ kubectl exec -it $PODNAME3 -- ping -c 2 $PODIP1
PING 192.168.1.234 (192.168.1.234) 56(84) bytes of data.
64 bytes from 192.168.1.234: icmp_seq=1 ttl=125 time=1.06 ms
64 bytes from 192.168.1.234: icmp_seq=2 ttl=125 time=0.824 ms
--- 192.168.1.234 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.824/0.943/1.062/0.119 ms
# 워커 노드 EC2 : TCPDUMP 확인
## For Pod to external (outside VPC) traffic, we will program iptables to SNAT using Primary IP address on the Primary ENI.
[ec2-user@ip-192-168-3-7 ~]$ sudo tcpdump -i any -nn icmp
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[ec2-user@ip-192-168-5-36 ~]$ watch -d "ip link | egrep 'ens|eni' ;echo;echo "[ROUTE TABLE]"; route -n | grep eni"
[1]+ Stopped watch -d "ip link | egrep 'ens|eni' ;echo;echo "[ROUTE TABLE]"; route -n | grep eni"
[ec2-user@ip-192-168-5-36 ~]$ sudo tcpdump -i any -nn icmp
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
# 파드 ping 테스트
2w git:(main*) $ kubectl exec -it $PODNAME1 -- ping -c 2 $PODIP3
PING 192.168.4.200 (192.168.4.200) 56(84) bytes of data.
64 bytes from 192.168.4.200: icmp_seq=1 ttl=125 time=0.897 ms
64 bytes from 192.168.4.200: icmp_seq=2 ttl=125 time=0.835 ms
--- 192.168.4.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1045ms
rtt min/avg/max/mdev = 0.835/0.866/0.897/0.031 ms
# Node에서 TCPDUMP 재확인
[ec2-user@ip-192-168-3-7 ~]$ sudo tcpdump -i ens5 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:34:36.019761 IP 192.168.1.234 > 192.168.4.200: ICMP echo request, id 4, seq 1, length 64
13:34:36.020570 IP 192.168.4.200 > 192.168.1.234: ICMP echo reply, id 4, seq 1, length 64
13:34:37.034019 IP 192.168.1.234 > 192.168.4.200: ICMP echo request, id 4, seq 2, length 64
13:34:37.034798 IP 192.168.4.200 > 192.168.1.234: ICMP echo reply, id 4, seq 2, length 64
[ec2-user@ip-192-168-5-36 ~]$ sudo tcpdump -i ens5 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:34:36.020137 IP 192.168.1.234 > 192.168.4.200: ICMP echo request, id 4, seq 1, length 64
13:34:36.020223 IP 192.168.4.200 > 192.168.1.234: ICMP echo reply, id 4, seq 1, length 64
13:34:37.034401 IP 192.168.1.234 > 192.168.4.200: ICMP echo request, id 4, seq 2, length 64
13:34:37.034457 IP 192.168.4.200 > 192.168.1.234: ICMP echo reply, id 4, seq 2, length 64
4. 파드에서 외부 통신
파드에서 외부 통신 흐름 : iptable 에 SNAT 을 통하여 노드의 eth0(ens5) IP로 변경되어서 외부와 통신됨
(참고) VPC CNI 의 External source network address translation (SNAT) 설정에 따라, 외부(인터넷) 통신 시 SNAT 하거나 혹은 SNAT 없이 통신을 할 수 있다 - 링크
[실습] 파드에서 외부 통신 테스트 및 확인
파드 shell 실행 후 외부로 ping 테스트 & 워커 노드에서 tcpdump 및 iptables 정보 확인
# pod-1 Shell 에서 외부로 ping
2w git:(main*) $ kubectl exec -it $PODNAME2 -- ping -c 1 www.google.com
PING www.google.com (142.251.157.119) 56(84) bytes of data.
64 bytes from 142.251.157.119 (142.251.157.119): icmp_seq=1 ttl=106 time=21.7 ms
--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 21.693/21.693/21.693/0.000 ms
# Node2에서 확인
13:39:21.468312 IP 192.168.3.7 > 142.251.153.119: ICMP echo request, id 63626, seq 1, length 64
13:39:21.491632 IP 142.251.153.119 > 192.168.3.7: ICMP echo reply, id 63626, seq 1, length 64
13:39:25.975422 IP 192.168.3.7 > 142.251.155.119: ICMP echo request, id 58444, seq 1, length 64
13:39:25.992810 IP 142.251.155.119 > 192.168.3.7: ICMP echo reply, id 58444, seq 1, length 64
# 퍼블릭IP 확인
2w git:(main*) $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i curl -s ipinfo.io/ip; echo; echo; done
>> node 13.125.90.155 <<
13.125.90.155
>> node 3.36.10.59 <<
3.36.10.59
>> node 52.79.83.80 <<
52.79.83.80
# 작업용 EC2 : pod-1 Shell 에서 외부 접속 확인 - 공인IP는 어떤 주소인가?
## The right way to check the weather - [링크](https://github.com/chubin/wttr.in)
2w git:(main*) $ for i in $PODNAME1 $PODNAME2 $PODNAME3; do echo ">> Pod : $i <<"; kubectl exec -it $i -- curl -s ipinfo.io/ip; echo; echo; done
>> Pod : netshoot-pod-64fbf7fb5-9scs4 <<
13.125.90.155
>> Pod : netshoot-pod-64fbf7fb5-kz8ff <<
52.79.83.80
>> Pod : netshoot-pod-64fbf7fb5-zgqsp <<
3.36.10.59
디플로이먼트 삭제 : kubectl delete deploy netshoot-pod
5. AWS VPC CNI 설정 변경
AWS VPC CNI 설정 변경 적용
1. eks.tf 수정
# add-on
addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
vpc-cni = {
most_recent = true
before_compute = true
configuration_values = jsonencode({
env = {
#WARM_ENI_TARGET = "1" # 현재 ENI 외에 여유 ENI 1개를 항상 확보
WARM_IP_TARGET = "5" # 현재 사용 중인 IP 외에 여유 IP 5개를 항상 유지, 설정 시 WARM_ENI_TARGET 무시됨
MINIMUM_IP_TARGET = "10" # 노드 시작 시 최소 확보해야 할 IP 총량 10개
#ENABLE_PREFIX_DELEGATION = "true"
#WARM_PREFIX_TARGET = "1" # PREFIX_DELEGATION 사용 시, 1개의 여유 대역(/28) 유지
}
})
}
}
2. 설정 적용
# 모니터링
watch -d kubectl get pod -n kube-system -l k8s-app=aws-node # aws-node 데몬셋 파드 확인
watch -d eksctl get addon --cluster myeks # addon 확인
# 적용
terraform plan
terraform apply -auto-approve
3. 확인
# 파드 재생성 확인
2w git:(main*) $ kubectl get pod -n kube-system -l k8s-app=aws-node
NAME READY STATUS RESTARTS AGE
aws-node-7sjr8 2/2 Running 0 36s
aws-node-gzlvq 2/2 Running 0 28s
aws-node-t9q94 2/2 Running 0 40s
# aws-node DaemonSet의 env 확인
2w git:(main*) $ kubectl describe ds aws-node -n kube-system | grep -E "WARM_IP_TARGET|MINIMUM_IP_TARGET"
MINIMUM_IP_TARGET: 10
WARM_IP_TARGET: 5
# 노드 정보 확인 : (hostNetwork 제외) 파드가 없는 노드에도 ENI 추가 확인!
2w git:(main*) $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo ip -c addr; echo; done
>> node 13.125.90.155 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:4d:80:ab:fb:03 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 192.168.3.7/22 metric 512 brd 192.168.3.255 scope global dynamic ens5
valid_lft 2335sec preferred_lft 2335sec
inet6 fe80::4d:80ff:feab:fb03/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:47:9f:e8:62:8f brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet 192.168.3.9/22 brd 192.168.3.255 scope global ens6
valid_lft forever preferred_lft forever
inet6 fe80::47:9fff:fee8:628f/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
>> node 3.36.10.59 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:09:ff:29:eb:23 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 192.168.5.36/22 metric 512 brd 192.168.7.255 scope global dynamic ens5
valid_lft 2333sec preferred_lft 2333sec
inet6 fe80::409:ffff:fe29:eb23/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eni481fe145bd1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default
link/ether 82:b9:0c:9d:bd:66 brd ff:ff:ff:ff:ff:ff link-netns cni-b50f9442-d17b-8951-95c3-46862cb4df5d
inet6 fe80::80b9:cff:fe9d:bd66/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:59:b6:fa:93:19 brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet 192.168.4.106/22 brd 192.168.7.255 scope global ens6
valid_lft forever preferred_lft forever
inet6 fe80::459:b6ff:fefa:9319/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
>> node 52.79.83.80 <<
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 0a:3c:3e:51:13:09 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 192.168.11.144/22 metric 512 brd 192.168.11.255 scope global dynamic ens5
valid_lft 2334sec preferred_lft 2334sec
inet6 fe80::83c:3eff:fe51:1309/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eni6422ac782e4@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default
link/ether 1e:59:e7:6d:e9:94 brd ff:ff:ff:ff:ff:ff link-netns cni-4c8defb0-eb51-0e65-cc93-fee1aa750c32
inet6 fe80::1c59:e7ff:fe6d:e994/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 0a:99:8a:8a:28:13 brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet 192.168.9.236/22 brd 192.168.11.255 scope global ens6
valid_lft forever preferred_lft forever
inet6 fe80::899:8aff:fe8a:2813/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
# cni log 확인
2w git:(main*) $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i tree /var/log/aws-routed-eni ; echo; done
>> node 13.125.90.155 <<
/var/log/aws-routed-eni
├── ebpf-sdk.log
├── egress-v6-plugin.log
├── ipamd.log
├── network-policy-agent.log
└── plugin.log
0 directories, 5 files
>> node 3.36.10.59 <<
/var/log/aws-routed-eni
├── ebpf-sdk.log
├── egress-v6-plugin.log
├── ipamd.log
├── network-policy-agent.log
└── plugin.log
0 directories, 5 files
>> node 52.79.83.80 <<
/var/log/aws-routed-eni
├── ebpf-sdk.log
├── egress-v6-plugin.log
├── ipamd.log
├── network-policy-agent.log
└── plugin.log
0 directories, 5 files
2w git:(main*) $ for i in $N1 $N2 $N3; do echo ">> node $i <<"; ssh ec2-user@$i sudo cat /var/log/aws-routed-eni/plugin.log | jq ; echo; done
>> node 13.125.90.155 <<
{
"level": "info",
"ts": "2026-03-24T13:11:22.893Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.893Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received CNI add request: ContainerID(6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Netns(/var/run/netns/cni-fe7fad89-605d-5958-858b-eb6b44907b9a) IfName(eth0) Args(K8S_POD_UID=00aa5245-d205-45dd-816b-767b7407e8df;IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-9scs4;K8S_POD_INFRA_CONTAINER_ID=6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.521887016Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.894Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Prev Result: <nil>\n"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.894Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "MTU value set is 9001:"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.894Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "pod requires multi-nic attachment: false"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.897Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received add network response from ipamd for container 6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7 interface eth0: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.1.234\" RouteTableId:254} VPCv4CIDRs:\"192.168.0.0/16\" NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.897Z",
"caller": "routed-eni-cni-plugin/cni.go:279",
"msg": "SetupPodNetwork: hostVethName=eni728a59de5d0, contVethName=eth0, netnsPath=/var/run/netns/cni-fe7fad89-605d-5958-858b-eb6b44907b9a, ipAddr=192.168.1.234/32, routeTableNumber=254, mtu=9001"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.955Z",
"caller": "driver/driver.go:276",
"msg": "Successfully set IPv6 sysctls on hostVeth eni728a59de5d0"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.955Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup container route, containerAddr=192.168.1.234/32, hostVeth=eni728a59de5d0, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.955Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup toContainer rule, containerAddr=192.168.1.234/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.955Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Using dummy interface: {Name:dummy728a59de5d0 Mac:0 Mtu:0 Sandbox:0 SocketPath: PciID:}"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.959Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Network Policy agent for EnforceNpToPod returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.636Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.636Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: &{0.4.0 [{Name:eni728a59de5d0 Mac: Sandbox:} {Name:eth0 Mac:254 Sandbox:/var/run/netns/cni-fe7fad89-605d-5958-858b-eb6b44907b9a} {Name:dummy728a59de5d0 Mac:0 Sandbox:0}] [{Version:4 Interface:0xc000219de0 Address:{IP:192.168.1.234 Mask:ffffffff} Gateway:<nil>}] [] {[] [] []}}\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.636Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Netns(/var/run/netns/cni-fe7fad89-605d-5958-858b-eb6b44907b9a) IfName(eth0) Args(K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-9scs4;K8S_POD_INFRA_CONTAINER_ID=6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7;K8S_POD_UID=00aa5245-d205-45dd-816b-767b7407e8df;IgnoreUnknown=1) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"prevResult\":{\"cniVersion\":\"0.4.0\",\"dns\":{},\"interfaces\":[{\"name\":\"eni728a59de5d0\"},{\"mac\":\"254\",\"name\":\"eth0\",\"sandbox\":\"/var/run/netns/cni-fe7fad89-605d-5958-858b-eb6b44907b9a\"},{\"mac\":\"0\",\"name\":\"dummy728a59de5d0\",\"sandbox\":\"0\"}],\"ips\":[{\"address\":\"192.168.1.234/32\",\"interface\":1,\"version\":\"4\"}]},\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.521887016Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.638Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received del network response from ipamd for pod netshoot-pod-64fbf7fb5-9scs4 namespace default sandbox 6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.1.234\" RouteTableId:254} NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.639Z",
"caller": "routed-eni-cni-plugin/cni.go:487",
"msg": "TeardownPodNetwork: containerAddr=192.168.1.234/32, routeTable=254"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.639Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted toContainer rule, containerAddr=192.168.1.234/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.639Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted container route, containerAddr=192.168.1.234/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.640Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Network Policy agent for DeletePodNp returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.838Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:30.838Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.838Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Netns() IfName(eth0) Args(K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-9scs4;K8S_POD_INFRA_CONTAINER_ID=6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7;K8S_POD_UID=00aa5245-d205-45dd-816b-767b7407e8df;IgnoreUnknown=1) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.521887016Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.839Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7 not found"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.861Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:30.861Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.861Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Netns() IfName(eth0) Args(K8S_POD_UID=00aa5245-d205-45dd-816b-767b7407e8df;IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-9scs4;K8S_POD_INFRA_CONTAINER_ID=6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.521887016Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.863Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 6b944f9b13abcdb8c2a477ed9457410639bf7bf5f66fea063c3fb4401def2fa7 not found"
}
>> node 3.36.10.59 <<
{
"level": "info",
"ts": "2026-03-24T12:42:24.088Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "info",
"ts": "2026-03-24T12:42:24.088Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received CNI add request: ContainerID(9057ac941292277cf8bd3dc28f6c58bb90eced5232b75132d27679e64eac99dc) Netns(/var/run/netns/cni-b50f9442-d17b-8951-95c3-46862cb4df5d) IfName(eth0) Args(K8S_POD_UID=e0586ebd-ba17-42fc-afa1-195787394f7c;IgnoreUnknown=1;K8S_POD_NAMESPACE=kube-system;K8S_POD_NAME=coredns-cc56d5f8b-9nvgz;K8S_POD_INFRA_CONTAINER_ID=9057ac941292277cf8bd3dc28f6c58bb90eced5232b75132d27679e64eac99dc) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T12:42:23.738464638Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.088Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Prev Result: <nil>\n"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.088Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "MTU value set is 9001:"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.088Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "pod requires multi-nic attachment: false"
}
{
"level": "info",
"ts": "2026-03-24T12:42:24.094Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received add network response from ipamd for container 9057ac941292277cf8bd3dc28f6c58bb90eced5232b75132d27679e64eac99dc interface eth0: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.5.76\" RouteTableId:254} VPCv4CIDRs:\"192.168.0.0/16\" NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.094Z",
"caller": "routed-eni-cni-plugin/cni.go:279",
"msg": "SetupPodNetwork: hostVethName=eni481fe145bd1, contVethName=eth0, netnsPath=/var/run/netns/cni-b50f9442-d17b-8951-95c3-46862cb4df5d, ipAddr=192.168.5.76/32, routeTableNumber=254, mtu=9001"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.132Z",
"caller": "driver/driver.go:276",
"msg": "Successfully set IPv6 sysctls on hostVeth eni481fe145bd1"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.135Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup container route, containerAddr=192.168.5.76/32, hostVeth=eni481fe145bd1, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.135Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup toContainer rule, containerAddr=192.168.5.76/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.135Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Using dummy interface: {Name:dummy481fe145bd1 Mac:0 Mtu:0 Sandbox:0 SocketPath: PciID:}"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.141Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Network Policy agent for EnforceNpToPod returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.963Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.963Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received CNI add request: ContainerID(7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e) Netns(/var/run/netns/cni-5eddec93-7408-ac2f-7035-0f754ef40068) IfName(eth0) Args(K8S_POD_INFRA_CONTAINER_ID=7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e;K8S_POD_UID=ed6536a7-63c5-407f-b34a-f3b00a8e8b5e;IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-zgqsp) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.595466664Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.963Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Prev Result: <nil>\n"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.963Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "MTU value set is 9001:"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.963Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "pod requires multi-nic attachment: false"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.966Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received add network response from ipamd for container 7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e interface eth0: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.4.200\" RouteTableId:254} VPCv4CIDRs:\"192.168.0.0/16\" NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.966Z",
"caller": "routed-eni-cni-plugin/cni.go:279",
"msg": "SetupPodNetwork: hostVethName=eni16b2ba08303, contVethName=eth0, netnsPath=/var/run/netns/cni-5eddec93-7408-ac2f-7035-0f754ef40068, ipAddr=192.168.4.200/32, routeTableNumber=254, mtu=9001"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.005Z",
"caller": "driver/driver.go:276",
"msg": "Successfully set IPv6 sysctls on hostVeth eni16b2ba08303"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.006Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup container route, containerAddr=192.168.4.200/32, hostVeth=eni16b2ba08303, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.007Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup toContainer rule, containerAddr=192.168.4.200/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.007Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Using dummy interface: {Name:dummy16b2ba08303 Mac:0 Mtu:0 Sandbox:0 SocketPath: PciID:}"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.011Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Network Policy agent for EnforceNpToPod returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.667Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.667Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: &{0.4.0 [{Name:eni16b2ba08303 Mac: Sandbox:} {Name:eth0 Mac:254 Sandbox:/var/run/netns/cni-5eddec93-7408-ac2f-7035-0f754ef40068} {Name:dummy16b2ba08303 Mac:0 Sandbox:0}] [{Version:4 Interface:0xc000219de0 Address:{IP:192.168.4.200 Mask:ffffffff} Gateway:<nil>}] [] {[] [] []}}\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.667Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e) Netns(/var/run/netns/cni-5eddec93-7408-ac2f-7035-0f754ef40068) IfName(eth0) Args(K8S_POD_NAME=netshoot-pod-64fbf7fb5-zgqsp;K8S_POD_INFRA_CONTAINER_ID=7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e;K8S_POD_UID=ed6536a7-63c5-407f-b34a-f3b00a8e8b5e;IgnoreUnknown=1;K8S_POD_NAMESPACE=default) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"prevResult\":{\"cniVersion\":\"0.4.0\",\"dns\":{},\"interfaces\":[{\"name\":\"eni16b2ba08303\"},{\"mac\":\"254\",\"name\":\"eth0\",\"sandbox\":\"/var/run/netns/cni-5eddec93-7408-ac2f-7035-0f754ef40068\"},{\"mac\":\"0\",\"name\":\"dummy16b2ba08303\",\"sandbox\":\"0\"}],\"ips\":[{\"address\":\"192.168.4.200/32\",\"interface\":1,\"version\":\"4\"}]},\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.595466664Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.670Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received del network response from ipamd for pod netshoot-pod-64fbf7fb5-zgqsp namespace default sandbox 7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.4.200\" RouteTableId:254} NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.670Z",
"caller": "routed-eni-cni-plugin/cni.go:487",
"msg": "TeardownPodNetwork: containerAddr=192.168.4.200/32, routeTable=254"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.670Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted toContainer rule, containerAddr=192.168.4.200/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.670Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted container route, containerAddr=192.168.4.200/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.671Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Network Policy agent for DeletePodNp returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.128Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:31.128Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.128Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e) Netns() IfName(eth0) Args(K8S_POD_NAME=netshoot-pod-64fbf7fb5-zgqsp;K8S_POD_INFRA_CONTAINER_ID=7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e;K8S_POD_UID=ed6536a7-63c5-407f-b34a-f3b00a8e8b5e;IgnoreUnknown=1;K8S_POD_NAMESPACE=default) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.595466664Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.130Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e not found"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.153Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:31.153Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.153Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e) Netns() IfName(eth0) Args(K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-zgqsp;K8S_POD_INFRA_CONTAINER_ID=7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e;K8S_POD_UID=ed6536a7-63c5-407f-b34a-f3b00a8e8b5e;IgnoreUnknown=1) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.595466664Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:31.155Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 7818576c777dd8ca6e3816cd6e88e1b235e385847fb9177b2af20e0dd6c3405e not found"
}
>> node 52.79.83.80 <<
{
"level": "info",
"ts": "2026-03-24T12:42:24.117Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "info",
"ts": "2026-03-24T12:42:24.117Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received CNI add request: ContainerID(f4ed3b515de27c5ae54519c12dbc5c7eef96985c43951b5550e9d8d4dbe6a7a2) Netns(/var/run/netns/cni-4c8defb0-eb51-0e65-cc93-fee1aa750c32) IfName(eth0) Args(K8S_POD_NAME=coredns-cc56d5f8b-x7p4t;K8S_POD_INFRA_CONTAINER_ID=f4ed3b515de27c5ae54519c12dbc5c7eef96985c43951b5550e9d8d4dbe6a7a2;K8S_POD_UID=11e0e653-7cdb-4fe1-8e95-a36318ce3606;IgnoreUnknown=1;K8S_POD_NAMESPACE=kube-system) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T12:42:23.784005411Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.117Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Prev Result: <nil>\n"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.117Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "MTU value set is 9001:"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.117Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "pod requires multi-nic attachment: false"
}
{
"level": "info",
"ts": "2026-03-24T12:42:24.121Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received add network response from ipamd for container f4ed3b515de27c5ae54519c12dbc5c7eef96985c43951b5550e9d8d4dbe6a7a2 interface eth0: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.10.183\" RouteTableId:254} VPCv4CIDRs:\"192.168.0.0/16\" NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.121Z",
"caller": "routed-eni-cni-plugin/cni.go:279",
"msg": "SetupPodNetwork: hostVethName=eni6422ac782e4, contVethName=eth0, netnsPath=/var/run/netns/cni-4c8defb0-eb51-0e65-cc93-fee1aa750c32, ipAddr=192.168.10.183/32, routeTableNumber=254, mtu=9001"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.204Z",
"caller": "driver/driver.go:276",
"msg": "Successfully set IPv6 sysctls on hostVeth eni6422ac782e4"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.204Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup container route, containerAddr=192.168.10.183/32, hostVeth=eni6422ac782e4, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.204Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup toContainer rule, containerAddr=192.168.10.183/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.204Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Using dummy interface: {Name:dummy6422ac782e4 Mac:0 Mtu:0 Sandbox:0 SocketPath: PciID:}"
}
{
"level": "debug",
"ts": "2026-03-24T12:42:24.208Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Network Policy agent for EnforceNpToPod returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.954Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.954Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received CNI add request: ContainerID(0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094) Netns(/var/run/netns/cni-4faff08d-52c9-cd6a-7e2b-7cb75a439fef) IfName(eth0) Args(K8S_POD_UID=18a22f5c-af9a-4bea-bd75-87a3ae3d6799;IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-kz8ff;K8S_POD_INFRA_CONTAINER_ID=0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.580050989Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.954Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Prev Result: <nil>\n"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.954Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "MTU value set is 9001:"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.954Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "pod requires multi-nic attachment: false"
}
{
"level": "info",
"ts": "2026-03-24T13:11:22.958Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Received add network response from ipamd for container 0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094 interface eth0: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.10.106\" RouteTableId:254} VPCv4CIDRs:\"192.168.0.0/16\" NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:11:22.958Z",
"caller": "routed-eni-cni-plugin/cni.go:279",
"msg": "SetupPodNetwork: hostVethName=eni98bb2c9cd6c, contVethName=eth0, netnsPath=/var/run/netns/cni-4faff08d-52c9-cd6a-7e2b-7cb75a439fef, ipAddr=192.168.10.106/32, routeTableNumber=254, mtu=9001"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.005Z",
"caller": "driver/driver.go:276",
"msg": "Successfully set IPv6 sysctls on hostVeth eni98bb2c9cd6c"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.005Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup container route, containerAddr=192.168.10.106/32, hostVeth=eni98bb2c9cd6c, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.005Z",
"caller": "driver/driver.go:286",
"msg": "Successfully setup toContainer rule, containerAddr=192.168.10.106/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.005Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Using dummy interface: {Name:dummy98bb2c9cd6c Mac:0 Mtu:0 Sandbox:0 SocketPath: PciID:}"
}
{
"level": "debug",
"ts": "2026-03-24T13:11:23.012Z",
"caller": "routed-eni-cni-plugin/cni.go:140",
"msg": "Network Policy agent for EnforceNpToPod returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.687Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.687Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: &{0.4.0 [{Name:eni98bb2c9cd6c Mac: Sandbox:} {Name:eth0 Mac:254 Sandbox:/var/run/netns/cni-4faff08d-52c9-cd6a-7e2b-7cb75a439fef} {Name:dummy98bb2c9cd6c Mac:0 Sandbox:0}] [{Version:4 Interface:0xc0001f7de0 Address:{IP:192.168.10.106 Mask:ffffffff} Gateway:<nil>}] [] {[] [] []}}\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.687Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094) Netns(/var/run/netns/cni-4faff08d-52c9-cd6a-7e2b-7cb75a439fef) IfName(eth0) Args(K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-kz8ff;K8S_POD_INFRA_CONTAINER_ID=0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094;K8S_POD_UID=18a22f5c-af9a-4bea-bd75-87a3ae3d6799;IgnoreUnknown=1) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"prevResult\":{\"cniVersion\":\"0.4.0\",\"dns\":{},\"interfaces\":[{\"name\":\"eni98bb2c9cd6c\"},{\"mac\":\"254\",\"name\":\"eth0\",\"sandbox\":\"/var/run/netns/cni-4faff08d-52c9-cd6a-7e2b-7cb75a439fef\"},{\"mac\":\"0\",\"name\":\"dummy98bb2c9cd6c\",\"sandbox\":\"0\"}],\"ips\":[{\"address\":\"192.168.10.106/32\",\"interface\":1,\"version\":\"4\"}]},\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.580050989Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:27.689Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received del network response from ipamd for pod netshoot-pod-64fbf7fb5-kz8ff namespace default sandbox 0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094: Success:true IPAllocationMetadata:{IPv4Addr:\"192.168.10.106\" RouteTableId:254} NetworkPolicyMode:\"standard\""
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.689Z",
"caller": "routed-eni-cni-plugin/cni.go:487",
"msg": "TeardownPodNetwork: containerAddr=192.168.10.106/32, routeTable=254"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.690Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted toContainer rule, containerAddr=192.168.10.106/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.690Z",
"caller": "driver/driver.go:307",
"msg": "Successfully deleted container route, containerAddr=192.168.10.106/32, rtTable=main"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:27.691Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Network Policy agent for DeletePodNp returned Success : true"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.292Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:30.292Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.292Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094) Netns() IfName(eth0) Args(K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-kz8ff;K8S_POD_INFRA_CONTAINER_ID=0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094;K8S_POD_UID=18a22f5c-af9a-4bea-bd75-87a3ae3d6799;IgnoreUnknown=1) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.580050989Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.294Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094 not found"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.315Z",
"caller": "routed-eni-cni-plugin/cni.go:131",
"msg": "Constructed new logger instance"
}
{
"level": "debug",
"ts": "2026-03-24T13:47:30.315Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Prev Result: <nil>\n"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.315Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Received CNI del request: ContainerID(0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094) Netns() IfName(eth0) Args(IgnoreUnknown=1;K8S_POD_NAMESPACE=default;K8S_POD_NAME=netshoot-pod-64fbf7fb5-kz8ff;K8S_POD_INFRA_CONTAINER_ID=0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094;K8S_POD_UID=18a22f5c-af9a-4bea-bd75-87a3ae3d6799) Path(/opt/cni/bin) argsStdinData({\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true},\"cniVersion\":\"0.4.0\",\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"podSGEnforcingMode\":\"strict\",\"runtimeConfig\":{\"io.kubernetes.cri.pod-annotations\":{\"kubernetes.io/config.seen\":\"2026-03-24T13:11:22.580050989Z\",\"kubernetes.io/config.source\":\"api\"}},\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"})"
}
{
"level": "info",
"ts": "2026-03-24T13:47:30.317Z",
"caller": "routed-eni-cni-plugin/cni.go:361",
"msg": "Container 0d61e31a16bfff45bcf9135fc12377dc6a003de408fa34d97cb271b990eba094 not found"
"level": "debug",
"ts": "2026-03-24T14:25:57.208Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:25:57.208Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:02.208Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:02.209Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:02.209Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:02.209Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:07.210Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:07.210Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:07.210Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:07.210Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.711Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconciling ENI/IP pool info because time since last 1m0.016310777s > 1m0s"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.712Z",
"caller": "ipamd/ipamd.go:1552",
"msg": "Total number of interfaces found: 2 "
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.712Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI MAC address: 0a:3c:3e:51:13:09"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.716Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI: eni-0eac3123a10629bc0, MAC 0a:3c:3e:51:13:09, device 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.718Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found IPv4 addresses associated with interface. This is not efa-only interface"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.720Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI MAC address: 0a:99:8a:8a:28:13"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.723Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI: eni-086e74c1e91f43cb2, MAC 0a:99:8a:8a:28:13, device 1"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.726Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found IPv4 addresses associated with interface. This is not efa-only interface"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-0eac3123a10629bc0 IP pool"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Reconcile and skip primary IP 192.168.11.144 on ENI eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.11.90"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.11.90/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.10.106"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.10.106/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.123"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.123/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.226"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.226/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.10.183"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.10.183/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-0eac3123a10629bc0 IP prefixes"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1624",
"msg": "Found prefix pool count 0 for eni eni-0eac3123a10629bc0\n"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-086e74c1e91f43cb2 IP pool"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Reconcile and skip primary IP 192.168.9.236 on ENI eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.97"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.97/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.132"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.132/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.196"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.196/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.228"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.228/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.71"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.71/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-086e74c1e91f43cb2 IP prefixes"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1624",
"msg": "Found prefix pool count 0 for eni eni-086e74c1e91f43cb2\n"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Successfully Reconciled ENI/IP pool"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:1669",
"msg": "IP pool stats for network card 0: Total IPs/Prefixes = 10/0, AssignedIPs/CooldownIPs: 1/0, c.maxIPsPerENI = 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Primary IP for ENI eni-0eac3123a10629bc0 is 192.168.11.144"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:09.729Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Primary IP for ENI eni-086e74c1e91f43cb2 is 192.168.9.236"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:12.229Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:12.229Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:12.229Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:12.229Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:17.232Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:17.232Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:17.232Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:17.232Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:22.232Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:22.232Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:22.232Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:22.232Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:27.236Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:27.236Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:27.236Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:27.236Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:32.237Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:32.237Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:32.237Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:32.237Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:37.238Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:37.238Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:37.238Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:37.238Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:42.239Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:42.239Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:42.239Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:42.239Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:47.242Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:47.242Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:47.242Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:47.242Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:52.245Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:52.245Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:52.245Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:52.245Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:57.247Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:57.247Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:57.247Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:26:57.247Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:02.247Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:02.247Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:02.248Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:02.248Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:07.249Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:07.249Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:07.249Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:07.249Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.751Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconciling ENI/IP pool info because time since last 1m0.021369799s > 1m0s"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.752Z",
"caller": "ipamd/ipamd.go:1552",
"msg": "Total number of interfaces found: 2 "
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.752Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI MAC address: 0a:3c:3e:51:13:09"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.754Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI: eni-0eac3123a10629bc0, MAC 0a:3c:3e:51:13:09, device 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.756Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found IPv4 addresses associated with interface. This is not efa-only interface"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.758Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI MAC address: 0a:99:8a:8a:28:13"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.760Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found ENI: eni-086e74c1e91f43cb2, MAC 0a:99:8a:8a:28:13, device 1"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.762Z",
"caller": "awsutils/awsutils.go:607",
"msg": "Found IPv4 addresses associated with interface. This is not efa-only interface"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-0eac3123a10629bc0 IP pool"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Reconcile and skip primary IP 192.168.11.144 on ENI eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.11.90"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.11.90/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.10.106"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.10.106/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.123"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.123/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.226"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.226/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.10.183"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.10.183/32 to DS for eni-0eac3123a10629bc0"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-0eac3123a10629bc0 IP prefixes"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1624",
"msg": "Found prefix pool count 0 for eni eni-0eac3123a10629bc0\n"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-086e74c1e91f43cb2 IP pool"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Reconcile and skip primary IP 192.168.9.236 on ENI eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.97"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.97/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.132"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.132/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.196"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.196/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.9.228"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.9.228/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1698",
"msg": "Trying to add 192.168.8.71"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "Adding 192.168.8.71/32 to DS for eni-086e74c1e91f43cb2"
}
{
"level": "info",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1822",
"msg": "IP already in DS"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Reconcile existing ENI eni-086e74c1e91f43cb2 IP prefixes"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1624",
"msg": "Found prefix pool count 0 for eni eni-086e74c1e91f43cb2\n"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Successfully Reconciled ENI/IP pool"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:1669",
"msg": "IP pool stats for network card 0: Total IPs/Prefixes = 10/0, AssignedIPs/CooldownIPs: 1/0, c.maxIPsPerENI = 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Primary IP for ENI eni-086e74c1e91f43cb2 is 192.168.9.236"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:09.764Z",
"caller": "ipamd/ipamd.go:768",
"msg": "Primary IP for ENI eni-0eac3123a10629bc0 is 192.168.11.144"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:12.265Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:12.265Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:12.265Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:12.265Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:17.266Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:17.266Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:17.266Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:17.266Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:22.269Z",
"caller": "ipamd/ipamd.go:765",
"msg": "IP stats for Network Card 0 - total IPs: 10, assigned IPs: 1, cooldown IPs: 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:22.269Z",
"caller": "ipamd/ipamd.go:832",
"msg": "Node found \"ip-192-168-11-144.ap-northeast-2.compute.internal\" - no of taints - 0"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:22.269Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-0eac3123a10629bc0 cannot be deleted because it is primary"
}
{
"level": "debug",
"ts": "2026-03-24T14:27:22.269Z",
"caller": "datastore/data_store.go:1014",
"msg": "ENI eni-086e74c1e91f43cb2 cannot be deleted because it is required for WARM_IP_TARGET: 5"
}
6. 노드에 파드 생성 갯수 제한
사전 준비 : kube-ops-view 설치
# kube-ops-view
:2w git:(main*) $ helm repo add geek-cookbook https://geek-cookbook.github.io/charts/
"geek-cookbook" already exists with the same configuration, skipping
[23:30:23] mzc01-voieul:2w git:(main*) $ helm install kube-ops-view geek-cookbook/kube-ops-view --version 1.2.2 --set service.main.type=NodePort,service.main.ports.http.nodePort=30000 --set env.TZ="Asia/Seoul" --namespace kube-system
NAME: kube-ops-view
LAST DEPLOYED: Tue Mar 24 23:30:30 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
export NODE_PORT=$(kubectl get --namespace kube-system -o jsonpath="{.spec.ports[0].nodePort}" services kube-ops-view)
export NODE_IP=$(kubectl get nodes --namespace kube-system -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
# 확인
2w git:(main*) $ kubectl get deploy,pod,svc,ep -n kube-system -l app.kubernetes.io/instance=kube-ops-view
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/kube-ops-view 0/1 1 0 5s
NAME READY STATUS RESTARTS AGE
pod/kube-ops-view-97fd86569-57489 0/1 ContainerCreating 0 5s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-ops-view NodePort 10.100.52.54 <none> 8080:30000/TCP 5s
NAME ENDPOINTS AGE
endpoints/kube-ops-view <none> 5s
# kube-ops-view 접속
open "http://$N1:30000/#scale=1.5"
open "http://$N1:30000/#scale=1.3"
[보조 IP] Secondary IPv4 addresses (기본값) : 인스턴스 유형에 최대 ENI 갯수와 할당 가능 IP 수를 조합하여 선정
[보조 IP] 워커 노드의 인스턴스 타입 별 파드 생성 갯수 제한
인스턴스 타입 별 ENI 최대 갯수와 할당 가능한 최대 IP 갯수에 따라서 파드 배치 갯수가 결정됨.
단, aws-node 와 kube-proxy 파드는 호스트의 IP를 사용함으로 최대 갯수에서 제외함.
☛ 최대 파드 생성 갯수 : (Number of network interfaces for the instance type × (the number of IP addressess per network interface - 1)) + 2
노드에 적용되는 최종 maxPods 값은 특정 우선순위로 상호 작용하는 여러 구성 요소에 따라 달라집니다.
우선순위(가장 높은 순서에서 낮은 순서):
관리형 노드 그룹 적용 - 사용자 지정 AMI 없이 관리형 노드 그룹을 사용하는 경우 Amazon EKS는 노드 사용자 데이터의 maxPods에 최대 한도를 적용합니다. vCPU가 30개 미만인 인스턴스의 경우 최대 한도는 110 입니다. vCPU가 30개를 초과하는 인스턴스의 경우 최대 한도는 250입니다. 이 값은 maxPodsExpression을 포함하여 다른 maxPods 구성보다 우선합니다. ⇒ vCPU 30개 미만 EC2 인스턴스 유형은 (k8s 확장 권고값에 따라) 노드에 최대 파드 110개 제한이 되고, vCPU 30이상 EC2 인스턴스 유형은 (AWS 내부 테스트 권고값에 따라) 노드에 최대 파드 250개 제한을 권고합니다.
kubelet maxPods 구성 - kubelet 구성에서 직접 maxPods를 설정하는 경우(예: 사용자 지정 AMI를 사용하는 시작 템플릿을 통해) 이 값이 maxPodsExpression보다 우선합니다.
nodeadm maxPodsExpression - NodeConfig에서 maxPodsExpression을 사용하는 경우 nodeadm은 표현식을 평가하여 maxPods를 계산합니다. 이 방법은 우선순위가 더 높은 소스에 의해 값이 아직 설정되지 않은 경우에만 유효합니다.
기본 ENI 기반 계산 - 다른 값이 설정되지 않은 경우 AMI는 인스턴스 유형에서 지원하는 탄력적 네트워크 인터페이스 및 IP 주소 수를 기반으로 maxPods를 계산합니다. 이는 (number of ENIs × (IPs per ENI − 1)) + 2 공식과 동일합니다. + 2는 포드 IP 주소를 소비하지 않는 모든 노드에서 실행되는 Amazon VPC CNI 및 kube-proxy를 고려합니다.
관리형 노드 그룹과 자체 관리형 노드 비교
사용자 지정 AMI 없이 관리형 노드 그룹을 사용하면 Amazon EKS가 노드의 부트스트랩 사용자 데이터에 maxPods 값을 주입합니다. 이는 다음을 의미합니다.
maxPods 값은 항상 인스턴스 크기에 따라 110 또는 250으로 제한됩니다.
구성한 모든 maxPodsExpression은 이 주입된 값으로 재정의됩니다.
다른 maxPods 값을 사용하려면 시작 템플릿에서 사용자 지정 AMI를 지정하고 -use-max-pods false를 -kubelet-extra-args '--max-pods=my-value'와 함께 bootstrap.sh 스크립트로 전달합니다. 예시는 시작 템플릿을 사용한 관리형 노드 사용자 지정 섹션을 참조하세요.
자체 관리형 노드를 사용하면 부트스트랩 프로세스를 완벽하게 제어할 수 있습니다. NodeConfig에서 maxPodsExpression을 사용하거나 bootstrap.sh에 --max-pods를 직접 전달할 수 있습니다.
To assign IP prefixes to your nodes, your nodes must be AWS Nitro-based. Instances that aren’t Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to Pods than Nitro-based instances do.
The subnets that your Amazon EKS nodes are in must have sufficient contiguous /28 (for IPv4 clusters) or /80 (for IPv6 clusters) Classless Inter-Domain Routing (CIDR) blocks.
# 인스턴스 타입 확인 : nitro
2w git:(main*) $ aws ec2 describe-instance-types --instance-types t3.medium --query "InstanceTypes[].Hypervisor"
[
"nitro"
]
eks.tf 수정
# add-on
addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
vpc-cni = {
most_recent = true
before_compute = true
configuration_values = jsonencode({
env = {
#WARM_ENI_TARGET = "1" # 현재 ENI 외에 여유 ENI 1개를 항상 확보
#WARM_IP_TARGET = "5" # 현재 사용 중인 IP 외에 여유 IP 5개를 항상 유지, 설정 시 WARM_ENI_TARGET 무시됨
#MINIMUM_IP_TARGET = "10" # 노드 시작 시 최소 확보해야 할 IP 총량 10개
ENABLE_PREFIX_DELEGATION = "true"
#WARM_PREFIX_TARGET = "1" # PREFIX_DELEGATION 사용 시, 1개의 여유 대역(/28) 유지
}
})
}
}
설정 적용
# 적용
terraform apply -auto-approve
# 기존 파드들도 위 설정 적용을 위해 재기동 해두자!
2w git:(main*) $ kubectl rollout restart -n kube-system deployment coredns
deployment.apps/coredns restarted
2w git:(main*) $ kubectl rollout restart -n kube-system deployment kube-ops-view
deployment.apps/kube-ops-view restarted
In ipvs mode, kube-proxy uses the kernel IPVS and iptables APIs to create rules to redirect traffic from Service IPs to endpoint IPs.
The IPVS proxy mode is based on netfilter hook function that is similar to iptables mode, but uses a hash table as the underlying data structure and works in the kernel space. That means kube-proxy in IPVS mode redirects traffic with lower latency than kube-proxy in iptables mode, with much better performance when synchronizing proxy rules. Compared to the iptables proxy mode, IPVS mode also supports a higher throughput of network traffic.
IPVS Mode는 Linue Kernel에서 제공하는 L4 Load Balacner인 IPVS가 Service Proxy 역할을 수행하는 Mode이다.
Packet Load Balancing 수행시 IPVS가 iptables보다 높은 성능을 보이기 때문에 IPVS Mode는 iptables Mode보다 높은 성능을 보여준다
IPVS 프록시 모드는 iptables 모드와 유사한 넷필터 후크 기능을 기반으로 하지만, 해시 테이블을 기본 데이터 구조로 사용하고 커널 스페이스에서 동작한다.
이는 IPVS 모드의 kube-proxy는 iptables 모드의 kube-proxy보다 지연 시간이 짧은 트래픽을 리다이렉션하고, 프록시 규칙을 동기화할 때 성능이 훨씬 향상됨을 의미한다.
다른 프록시 모드와 비교했을 때, IPVS 모드는 높은 네트워크 트래픽 처리량도 지원한다.
# IAM Policy json 파일 다운로드 : Download an IAM policy for the AWS Load Balancer Controller that allows it to make calls to AWS APIs on your behalf.
curl -o aws_lb_controller_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/docs/install/iam_policy.json
# AWSLoadBalancerControllerIAMPolicy 생성 : Create an IAM policy using the policy downloaded in the previous step.
2w git:(main*) $ aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://aws_lb_controller_policy.json
IRSA 생성
# IRSA 생성 : cloudforamtion 를 통해 IAM Role 생성
CLUSTER_NAME=myeks
eksctl get iamserviceaccount --cluster $CLUSTER_NAME
kubectl get serviceaccounts -n kube-system aws-load-balancer-controller
2w git:(main*) $ eksctl create iamserviceaccount \
--cluster=myeks \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--attach-policy-arn=arn:aws:iam::123123123:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--approve
2026-03-25 20:20:29 [ℹ] 1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules)
2026-03-25 20:20:29 [!] metadata of serviceaccounts that exist in Kubernetes will be updated, as --override-existing-serviceaccounts was set
2026-03-25 20:20:29 [ℹ] 1 task: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/aws-load-balancer-controller",
create serviceaccount "kube-system/aws-load-balancer-controller",
} }2026-03-25 20:20:29 [ℹ] building iamserviceaccount stack "eksctl-myeks-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2026-03-25 20:20:29 [ℹ] deploying stack "eksctl-myeks-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2026-03-25 20:20:29 [ℹ] waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2026-03-25 20:20:59 [ℹ] waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-aws-load-balancer-controller"
2026-03-25 20:21:00 [ℹ] created serviceaccount "kube-system/aws-load-balancer-controller"
# 확인
2w git:(main*) $ eksctl get iamserviceaccount --cluster $CLUSTER_NAME
NAMESPACE NAME ROLE ARN
kube-system aws-load-balancer-controller arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-6reRubGarPXP
# k8s 에 SA 확인
# Inspecting the newly created Kubernetes Service Account, we can see the role we want it to assume in our pod.
2w git:(main*) $ eksctl get iamserviceaccount --cluster $CLUSTER_NAME
NAMESPACE NAME ROLE ARN
kube-system aws-load-balancer-controller arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-6reRubGarPXP
2w git:(main*) $ kubectl get serviceaccounts -n kube-system aws-load-balancer-controller -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-6reRubGarPXP
creationTimestamp: "2026-03-25T11:21:00Z"
labels:
app.kubernetes.io/managed-by: eksctl
name: aws-load-balancer-controller
namespace: kube-system
resourceVersion: "7352"
uid: d06883ff-bae7-4911-98fb-af8b521b171c
# Helm Chart Repository 추가
2w git:(main*) $ helm repo add eks https://aws.github.io/eks-charts
helm repo update
"eks" has been added to your repositories
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "eks" chart repository
...Successfully got an update from the "geek-cookbook" chart repository
Update Complete. ⎈Happy Helming!⎈
# Helm Chart - AWS Load Balancer Controller 설치
# https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller
# https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/values.yaml
2w git:(main*) $ helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --version 3.1.0 \
--set clusterName=$CLUSTER_NAME \
--set serviceAccount.name=aws-load-balancer-controller \
--set serviceAccount.create=false
NAME: aws-load-balancer-controller
LAST DEPLOYED: Wed Mar 25 20:26:10 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
# 확인
2w git:(main*) $ helm list -n kube-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
aws-load-balancer-controller kube-system 1 2026-03-25 20:26:10.501179 +0900 KST deployed aws-load-balancer-controller-3.1.0 v3.1.0
# 파드 상태 실패 확인
2w git:(main*) $ kubectl get pod -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller
NAME READY STATUS RESTARTS AGE
aws-load-balancer-controller-7875649799-4w2fs 0/1 CrashLoopBackOff 2 (5s ago) 44s
aws-load-balancer-controller-7875649799-86phc 0/1 CrashLoopBackOff 2 (6s ago) 44s
# 로그 확인 : vpc id 정보 획득 실패!
w git:(main*) $ kubectl logs -n kube-system deployment/aws-load-balancer-controller
Found 2 pods, using pod/aws-load-balancer-controller-7875649799-4w2fs
{"level":"info","ts":"2026-03-25T11:27:17Z","msg":"version","GitVersion":"v3.1.0","GitCommit":"250024dbcc7a428cfd401c949e04de23c167d46e","BuildDate":"2026-02-24T18:21:40+0000"}
{"level":"error","ts":"2026-03-25T11:27:22Z","logger":"setup","msg":"unable to initialize AWS cloud","error":"failed to get VPC ID: failed to fetch VPC ID from instance metadata: error in fetching vpc id through ec2 metadata: get mac metadata: operation error ec2imds: GetMetadata, canceled, context deadline exceeded"}
AWS LBC 가 Region 과 VPC ID 정보 획득 필요 : 방안1(helm 설치 시 파라미터 설정), 방안2(imds)
# (참고) vpc id 확인
terraform state show 'module.vpc.aws_vpc.this[0]'
terraform state show 'module.vpc.aws_vpc.this[0]' | grep ' id'
terraform show -json | jq -r '.values.root_module.child_modules[] | select(.address == "module.vpc") | .resources[] | select(.address == "module.vpc.aws_vpc.this[0]") | .values.id'
vpc-0db6bf1bbadee777d
# (참고)
helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --version 3.1.0 \
--set clusterName=myeks \
--set serviceAccount.name=aws-load-balancer-controller \
--set serviceAccount.create=false \
--set region=ap-northeast-2 \
--set vpcId=vpc-0db6bf1bbadee777d
방안2 : AWS 워커 노드들 인스턴스 메타데이터 옵션 수정 : 1 → 2 로 변경! (이 방법으로 설정)
# 디플로이먼트 리스타트!
2w git:(main*) $ kubectl rollout restart -n kube-system deploy aws-load-balancer-controller
deployment.apps/aws-load-balancer-controller restarted
# 파드 상태 확인
2w git:(main*) $ kubectl get pod -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller
NAME READY STATUS RESTARTS AGE
aws-load-balancer-controller-6d7988b599-n7wpm 1/1 Running 0 25s
aws-load-balancer-controller-6d7988b599-xb6dr 1/1 Running 0 42s
# crd 확인
2w git:(main*) $ kubectl get crd | grep -E 'elb|gateway'
albtargetcontrolconfigs.elbv2.k8s.aws 2026-03-25T11:26:09Z
ingressclassparams.elbv2.k8s.aws 2026-03-25T11:26:10Z
listenerruleconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
loadbalancerconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
targetgroupbindings.elbv2.k8s.aws 2026-03-25T11:26:10Z
targetgroupconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
2w git:(main*) $ kubectl explain ingressclassparams.elbv2.k8s.aws.spec.listeners
GROUP: elbv2.k8s.aws
KIND: IngressClassParams
VERSION: v1beta1
FIELD: listeners <[]Object>
DESCRIPTION:
Listeners define a list of listeners with their protocol, port and
attributes.
FIELDS:
listenerAttributes <[]Object>
The attributes of the listener
port <integer>
The port of the listener
protocol <string>
The protocol of the listener
2w git:(main*) $ kubectl explain ingressclassparams.elbv2.k8s.aws.spec
GROUP: elbv2.k8s.aws
KIND: IngressClassParams
VERSION: v1beta1
FIELD: spec <Object>
DESCRIPTION:
IngressClassParamsSpec defines the desired state of IngressClassParams
FIELDS:
PrefixListsIDs <[]string>
PrefixListsIDsLegacy defines the security group prefix lists for all
Ingresses that belong to IngressClass with this IngressClassParams.
Not Recommended, Use PrefixListsIDs (prefixListsIDs in JSON) instead
certificateArn <[]string>
CertificateArn specifies the ARN of the certificates for all Ingresses that
belong to IngressClass with this IngressClassParams.
group <Object>
Group defines the IngressGroup for all Ingresses that belong to IngressClass
with this IngressClassParams.
inboundCIDRs <[]string>
InboundCIDRs specifies the CIDRs that are allowed to access the Ingresses
that belong to IngressClass with this IngressClassParams.
ipAddressType <string>
enum: ipv4, dualstack, dualstack-without-public-ipv4
IPAddressType defines the ip address type for all Ingresses that belong to
IngressClass with this IngressClassParams.
ipamConfiguration <Object>
IPAMConfiguration defines the IPAM settings for a Load Balancer.
listeners <[]Object>
Listeners define a list of listeners with their protocol, port and
attributes.
loadBalancerAttributes <[]Object>
LoadBalancerAttributes define the custom attributes to LoadBalancers for all
Ingress that that belong to IngressClass with this IngressClassParams.
loadBalancerName <string>
LoadBalancerName defines the name of the load balancer that will be created
with this IngressClassParams.
minimumLoadBalancerCapacity <Object>
MinimumLoadBalancerCapacity define the capacity reservation for
LoadBalancers for all Ingress that belong to IngressClass with this
IngressClassParams.
namespaceSelector <Object>
NamespaceSelector restrict the namespaces of Ingresses that are allowed to
specify the IngressClass with this IngressClassParams.
* if absent or present but empty, it selects all namespaces.
prefixListsIDs <[]string>
PrefixListsIDs defines the security group prefix lists for all Ingresses
that belong to IngressClass with this IngressClassParams.
scheme <string>
enum: internal, internet-facing
Scheme defines the scheme for all Ingresses that belong to IngressClass with
this IngressClassParams.
sslPolicy <string>
SSLPolicy specifies the SSL Policy for all Ingresses that belong to
IngressClass with this IngressClassParams.
sslRedirectPort <string>
SSLRedirectPort specifies the SSL Redirect Port for all Ingresses that
belong to IngressClass with this IngressClassParams.
subnets <Object>
Subnets defines the subnets for all Ingresses that belong to IngressClass
with this IngressClassParams.
tags <[]Object>
Tags defines list of Tags on AWS resources provisioned for Ingresses that
belong to IngressClass with this IngressClassParams.
targetType <string>
enum: instance, ip
TargetType defines the target type of target groups for all Ingresses that
belong to IngressClass with this IngressClassParams.
wafv2AclArn <string>
WAFv2ACLArn specifies ARN for the Amazon WAFv2 web ACL.
wafv2AclName <string>
WAFv2ACLName specifies name of the Amazon WAFv2 web ACL.
# AWS Load Balancer Controller 확인
2w git:(main*) $ kubectl get deployment -n kube-system aws-load-balancer-controller
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 2/2 2 2 12m
2w git:(main*) $ kubectl describe deploy -n kube-system aws-load-balancer-controller
Name: aws-load-balancer-controller
Namespace: kube-system
CreationTimestamp: Wed, 25 Mar 2026 20:26:13 +0900
Labels: app.kubernetes.io/instance=aws-load-balancer-controller
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=aws-load-balancer-controller
app.kubernetes.io/version=v3.1.0
helm.sh/chart=aws-load-balancer-controller-3.1.0
Annotations: deployment.kubernetes.io/revision: 2
meta.helm.sh/release-name: aws-load-balancer-controller
meta.helm.sh/release-namespace: kube-system
Selector: app.kubernetes.io/instance=aws-load-balancer-controller,app.kubernetes.io/name=aws-load-balancer-controller
Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app.kubernetes.io/instance=aws-load-balancer-controller
app.kubernetes.io/name=aws-load-balancer-controller
Annotations: kubectl.kubernetes.io/restartedAt: 2026-03-25T20:34:25+09:00
prometheus.io/port: 8080
prometheus.io/scrape: true
Service Account: aws-load-balancer-controller
Containers:
aws-load-balancer-controller:
Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.1.0
Ports: 9443/TCP (webhook-server), 8080/TCP (metrics-server)
Host Ports: 0/TCP (webhook-server), 0/TCP (metrics-server)
Args:
--cluster-name=myeks
--ingress-class=alb
Liveness: http-get http://:61779/healthz delay=30s timeout=10s period=10s #success=1 #failure=2
Readiness: http-get http://:61779/readyz delay=10s timeout=10s period=10s #success=1 #failure=2
Environment: <none>
Mounts:
/tmp/k8s-webhook-server/serving-certs from cert (ro)
Volumes:
cert:
Type: Secret (a volume populated by a Secret)
SecretName: aws-load-balancer-tls
Optional: false
Priority Class Name: system-cluster-critical
Node-Selectors: <none>
Tolerations: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: aws-load-balancer-controller-7875649799 (0/0 replicas created)
NewReplicaSet: aws-load-balancer-controller-6d7988b599 (2/2 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 13m deployment-controller Scaled up replica set aws-load-balancer-controller-7875649799 from 0 to 2
Normal ScalingReplicaSet 5m deployment-controller Scaled up replica set aws-load-balancer-controller-6d7988b599 from 0 to 1
Normal ScalingReplicaSet 4m43s deployment-controller Scaled down replica set aws-load-balancer-controller-7875649799 from 2 to 1
Normal ScalingReplicaSet 4m43s deployment-controller Scaled up replica set aws-load-balancer-controller-6d7988b599 from 1 to 2
Normal ScalingReplicaSet 4m31s deployment-controller Scaled down replica set aws-load-balancer-controller-7875649799 from 1 to 0
2w git:(main*) $ kubectl describe deploy -n kube-system aws-load-balancer-controller | grep 'Service Account'
Service Account: aws-load-balancer-controller
# 클러스터롤, 롤 확인
2w git:(main*) $ kubectl describe clusterroles.rbac.authorization.k8s.io aws-load-balancer-controller-role
Name: aws-load-balancer-controller-role
Labels: app.kubernetes.io/instance=aws-load-balancer-controller
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=aws-load-balancer-controller
app.kubernetes.io/version=v3.1.0
helm.sh/chart=aws-load-balancer-controller-3.1.0
Annotations: meta.helm.sh/release-name: aws-load-balancer-controller
meta.helm.sh/release-namespace: kube-system
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
targetgroupbindings.elbv2.k8s.aws [] [] [create delete get list patch update watch]
events [] [] [create patch]
configmaps [] [] [get delete create update]
ingresses [] [] [get list patch update watch]
services [] [] [get list patch update watch]
ingresses.extensions [] [] [get list patch update watch]
services.extensions [] [] [get list patch update watch]
ingresses.networking.k8s.io [] [] [get list patch update watch]
services.networking.k8s.io [] [] [get list patch update watch]
globalaccelerators.aga.k8s.aws [] [] [get list patch watch]
listenerruleconfigurations.gateway.k8s.aws [] [] [get list watch patch]
loadbalancerconfigurations.gateway.k8s.aws [] [] [get list watch patch]
targetgroupconfigurations.gateway.k8s.aws [] [] [get list watch patch]
gatewayclasses.gateway.networking.k8s.io [] [] [get list watch patch]
gateways.gateway.networking.k8s.io [] [] [get list watch patch]
endpoints [] [] [get list watch]
namespaces [] [] [get list watch]
nodes [] [] [get list watch]
pods [] [] [get list watch]
endpointslices.discovery.k8s.io [] [] [get list watch]
ingressclassparams.elbv2.k8s.aws [] [] [get list watch]
grpcroutes.gateway.networking.k8s.io [] [] [get list watch]
httproutes.gateway.networking.k8s.io [] [] [get list watch]
referencegrants.gateway.networking.k8s.io [] [] [get list watch]
tcproutes.gateway.networking.k8s.io [] [] [get list watch]
tlsroutes.gateway.networking.k8s.io [] [] [get list watch]
udproutes.gateway.networking.k8s.io [] [] [get list watch]
ingressclasses.networking.k8s.io [] [] [get list watch]
gatewayclasses.gateway.networking.k8s.io/status [] [] [get patch update]
gateways.gateway.networking.k8s.io/status [] [] [get patch update]
grpcroutes.gateway.networking.k8s.io/status [] [] [get patch update]
httproutes.gateway.networking.k8s.io/status [] [] [get patch update]
tcproutes.gateway.networking.k8s.io/status [] [] [get patch update]
tlsroutes.gateway.networking.k8s.io/status [] [] [get patch update]
udproutes.gateway.networking.k8s.io/status [] [] [get patch update]
listenerruleconfigurations.gateway.k8s.aws/status [] [] [get patch watch]
loadbalancerconfigurations.gateway.k8s.aws/status [] [] [get patch watch]
targetgroupconfigurations.gateway.k8s.aws/status [] [] [get patch watch]
albtargetcontrolconfigs.elbv2.k8s.aws [] [] [get]
globalaccelerators.aga.k8s.aws/finalizers [] [] [patch update]
globalaccelerators.aga.k8s.aws/status [] [] [patch update]
ingresses/status [] [] [update patch]
pods/status [] [] [update patch]
services/status [] [] [update patch]
targetgroupbindings/status [] [] [update patch]
ingresses.elbv2.k8s.aws/status [] [] [update patch]
pods.elbv2.k8s.aws/status [] [] [update patch]
services.elbv2.k8s.aws/status [] [] [update patch]
targetgroupbindings.elbv2.k8s.aws/status [] [] [update patch]
ingresses.extensions/status [] [] [update patch]
pods.extensions/status [] [] [update patch]
services.extensions/status [] [] [update patch]
targetgroupbindings.extensions/status [] [] [update patch]
listenerruleconfigurations.gateway.k8s.aws/finalizers [] [] [update patch]
loadbalancerconfigurations.gateway.k8s.aws/finalizers [] [] [update patch]
targetgroupconfigurations.gateway.k8s.aws/finalizers [] [] [update patch]
gatewayclasses.gateway.networking.k8s.io/finalizers [] [] [update patch]
gateways.gateway.networking.k8s.io/finalizers [] [] [update patch]
ingresses.networking.k8s.io/status [] [] [update patch]
pods.networking.k8s.io/status [] [] [update patch]
services.networking.k8s.io/status [] [] [update patch]
targetgroupbindings.networking.k8s.io/status [] [] [update patch]
grpcroutes.gateway.networking.k8s.io/finalizers [] [] [update]
httproutes.gateway.networking.k8s.io/finalizers [] [] [update]
tcproutes.gateway.networking.k8s.io/finalizers [] [] [update]
tlsroutes.gateway.networking.k8s.io/finalizers [] [] [update]
udproutes.gateway.networking.k8s.io/finalizers [] [] [update]
# 정책 파일 작성
2w git:(main*) $ cat << EOF > externaldns_controller_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
],
"Resource": [
"*"
]
}
]
}
EOF
# IAM 정책 생성
2w git:(main*) $ aws iam create-policy \
--policy-name ExternalDNSControllerPolicy \
--policy-document file://externaldns_controller_policy.json
{
"Policy": {
"PolicyName": "ExternalDNSControllerPolicy",
"PolicyId": "ANPASC4RJSTGMLOE2D7EO",
"Arn": "arn:aws:iam::143649248460:policy/ExternalDNSControllerPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2026-03-25T12:50:31+00:00",
"UpdateDate": "2026-03-25T12:50:31+00:00"
}
}
# 확인
2w git:(main*) $ ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
2w git:(main*) $ aws iam get-policy --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/ExternalDNSControllerPolicy | jq
{
"Policy": {
"PolicyName": "ExternalDNSControllerPolicy",
"PolicyId": "ANPASC4RJSTGMLOE2D7EO",
"Arn": "arn:aws:iam::123123123:policy/ExternalDNSControllerPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2026-03-25T12:50:31+00:00",
"UpdateDate": "2026-03-25T12:50:31+00:00",
"Tags": []
}
}
# IRSA 생성 : cloudforamtion 를 통해 IAM Role 생성
2w git:(main*) $ CLUSTER_NAME=myeks
2w git:(main*) $ eksctl create iamserviceaccount \
--cluster=$CLUSTER_NAME \
--namespace=kube-system \
--name=external-dns \
--attach-policy-arn=arn:aws:iam::$ACCOUNT_ID:policy/ExternalDNSControllerPolicy \
--override-existing-serviceaccounts \
--approve
2026-03-25 21:52:36 [ℹ] 1 existing iamserviceaccount(s) (kube-system/aws-load-balancer-controller) will be excluded
2026-03-25 21:52:36 [ℹ] 1 iamserviceaccount (kube-system/external-dns) was included (based on the include/exclude rules)
2026-03-25 21:52:36 [!] metadata of serviceaccounts that exist in Kubernetes will be updated, as --override-existing-serviceaccounts was set
2026-03-25 21:52:36 [ℹ] 1 task: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/external-dns",
create serviceaccount "kube-system/external-dns",
} }2026-03-25 21:52:36 [ℹ] building iamserviceaccount stack "eksctl-myeks-addon-iamserviceaccount-kube-system-external-dns"
2026-03-25 21:52:36 [ℹ] deploying stack "eksctl-myeks-addon-iamserviceaccount-kube-system-external-dns"
2026-03-25 21:52:36 [ℹ] waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-external-dns"
2026-03-25 21:53:06 [ℹ] waiting for CloudFormation stack "eksctl-myeks-addon-iamserviceaccount-kube-system-external-dns"
2026-03-25 21:53:07 [ℹ] created serviceaccount "kube-system/external-dns"
# 확인
2w git:(main*) $ eksctl get iamserviceaccount --cluster $CLUSTER_NAME
NAMESPACE NAME ROLE ARN
kube-system aws-load-balancer-controller arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-6reRubGarPXP
kube-system external-dns arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-LQL0bluzBpsP
# k8s 에 SA 확인
# Inspecting the newly created Kubernetes Service Account, we can see the role we want it to assume in our pod.
2w git:(main*) $ kubectl get serviceaccounts -n kube-system external-dns -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123123123:role/eksctl-myeks-addon-iamserviceaccount-kube-sys-Role1-LQL0bluzBpsP
creationTimestamp: "2026-03-25T12:53:09Z"
labels:
app.kubernetes.io/managed-by: eksctl
name: external-dns
namespace: kube-system
resourceVersion: "25962"
ExternalDNS 배포
# 자신의 도메인 변수 지정
MyDomain=<자신의 도메인>
MyDomain=test.com
# 설정 파일 작성
2w git:(main*) $ cat << EOF > external-dns-values.yaml
provider: aws
# 위에서 생성한 ServiceAccount와 연동
serviceAccount:
create: false
name: external-dns
# 필터링 설정 (보안상 권장)
# 특정 도메인만 관리하도록 제한 (예: example.com)
domainFilters:
- $MyDomain
# 레코드 업데이트 정책
# sync: 쿠버네티스에서 삭제되면 Route 53에서도 삭제 (주의 필요)
# upsert-only: 생성/수정만 하고 삭제는 수동으로 (안전함)
policy: sync
# 리소스 감지 대상
sources:
- service
- ingress
# (선택) 텍스트 레코드에 식별자 추가 (여러 클러스터가 동일 도메인 관리 시 충돌 방지)
txtOwnerId: "stduy-myeks-cluster"
registry: txt
# 로그 레벨
logLevel: info
EOF
# Helm 레포지토리 추가 및 업데이트
2w git:(main*) $ helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
"external-dns" has been added to your repositories
2w git:(main*) $ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "external-dns" chart repository
...Successfully got an update from the "eks" chart repository
...Successfully got an update from the "geek-cookbook" chart repository
Update Complete. ⎈Happy Helming!⎈
# 차트 설치
2w git:(main*) $ helm install external-dns external-dns/external-dns \
-n kube-system \
-f external-dns-values.yaml
NAME: external-dns
LAST DEPLOYED: Wed Mar 25 22:14:16 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
***********************************************************************
* External DNS *
***********************************************************************
Chart version: 1.20.0
App version: 0.20.0
Image tag: registry.k8s.io/external-dns/external-dns:v0.20.0
***********************************************************************
🚧 DEPRECATIONS 🚧
The following features, functions, or methods are deprecated and no longer recommended for use.
❗❗❗ DEPRECATED ❗❗❗ The legacy 'provider: <name>' configuration is in use. Support will be removed in future releases.
# 확인
2w git:(main*) $ helm list -n kube-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
aws-load-balancer-controller kube-system 1 2026-03-25 20:26:10.501179 +0900 KST deployed aws-load-balancer-controller-3.1.0 v3.1.0
external-dns kube-system 1 2026-03-25 22:14:16.663819 +0900 KST deployed external-dns-1.20.0 0.20.0
2w git:(main*) $ kubectl get pod -l app.kubernetes.io/name=external-dns -n kube-system
NAME READY STATUS RESTARTS AGE
external-dns-574dfc7d88-jpwj6 1/1 Running 0 39s
# 로그 모니터링
kubectl logs deploy/external-dns -n kube-system -f
# Route53 레코드 삭제 로그 확인
time="2026-03-25T13:26:31Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:26:31Z" level=info msg="All records are already up to date"
time="2026-03-25T13:27:31Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:27:31Z" level=info msg="All records are already up to date"
time="2026-03-25T13:28:32Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:28:32Z" level=info msg="All records are already up to date"
time="2026-03-25T13:29:33Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:29:33Z" level=info msg="All records are already up to date"
time="2026-03-25T13:30:32Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:30:32Z" level=info msg="All records are already up to date"
time="2026-03-25T13:31:34Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:31:34Z" level=info msg="All records are already up to date"
time="2026-03-25T13:32:33Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:32:33Z" level=info msg="All records are already up to date"
time="2026-03-25T13:33:34Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:33:34Z" level=info msg="All records are already up to date"
time="2026-03-25T13:34:34Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:34:34Z" level=info msg="All records are already up to date"
time="2026-03-25T13:35:34Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:35:34Z" level=info msg="All records are already up to date"
time="2026-03-25T13:36:36Z" level=info msg="Applying provider record filter for domains: [test.com. .test.com. test.com. .test.com.]"
time="2026-03-25T13:36:36Z" level=info msg="Desired change: DELETE aaaa-tetris.test.com TXT" profile=default zoneID=/hostedzone/Z04801081UEZHM58V46LC zoneName=test.com.
time="2026-03-25T13:36:36Z" level=info msg="Desired change: DELETE cname-tetris.test.com TXT" profile=default zoneID=/hostedzone/Z04801081UEZHM58V46LC zoneName=test.com.
time="2026-03-25T13:36:36Z" level=info msg="Desired change: DELETE tetris.test.com A" profile=default zoneID=/hostedzone/Z04801081UEZHM58V46LC zoneName=test.com.
time="2026-03-25T13:36:36Z" level=info msg="Desired change: DELETE tetris.test.com AAAA" profile=default zoneID=/hostedzone/Z04801081UEZHM58V46LC zoneName=test.com.
time="2026-03-25T13:36:36Z" level=info msg="4 record(s) were successfully updated" profile=default zoneID=/hostedzone/Z04801081UEZHM58V46LC zoneName=test.com.
time="2026-03-25T13:36:37Z" level=info msg="Desired change: DELETE aaaa-tetris.test.com TXT" profile=default zoneID=/hostedzone/Z0621244335S34G7MYGM zoneName=test.com.
time="2026-03-25T13:36:37Z" level=info msg="Desired change: DELETE cname-tetris.test.com TXT" profile=default zoneID=/hostedzone/Z0621244335S34G7MYGM zoneName=test.com.
time="2026-03-25T13:36:37Z" level=info msg="Desired change: DELETE tetris.test.com A" profile=default zoneID=/hostedzone/Z0621244335S34G7MYGM zoneName=test.com.
time="2026-03-25T13:36:37Z" level=info msg="Desired change: DELETE tetris.test.com AAAA" profile=default zoneID=/hostedzone/Z0621244335S34G7MYGM zoneName=test.com.
time="2026-03-25T13:36:37Z" level=info msg="4 record(s) were successfully updated" profile=default zoneID=/hostedzone/Z0621244335S34G7MYGM zoneName=test.com.
# LBC > v2.13.0 버전 이상
2w git:(main*) $ kubectl describe pod -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller | grep Image: | uniq
Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.1.0
# Installation of Gateway API CRDs # --server-side=true
# CRD 별도 설치 필요
2w git:(main*) $ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml # [REQUIRED] # Standard Gateway API CRDs
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml # [OPTIONAL: Used for L4 Routes] # Experimental Gateway API CRDs
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/xbackendtrafficpolicies.gateway.networking.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/xlistenersets.gateway.networking.x-k8s.io created
2w git:(main*) $ kubectl api-resources | grep gateway.networking
backendtlspolicies btlspolicy gateway.networking.k8s.io/v1alpha3 true BackendTLSPolicy
gatewayclasses gc gateway.networking.k8s.io/v1 false GatewayClass
gateways gtw gateway.networking.k8s.io/v1 true Gateway
grpcroutes gateway.networking.k8s.io/v1 true GRPCRoute
httproutes gateway.networking.k8s.io/v1 true HTTPRoute
referencegrants refgrant gateway.networking.k8s.io/v1beta1 true ReferenceGrant
tcproutes gateway.networking.k8s.io/v1alpha2 true TCPRoute
tlsroutes gateway.networking.k8s.io/v1alpha2 true TLSRoute
udproutes gateway.networking.k8s.io/v1alpha2 true UDPRoute
xbackendtrafficpolicies xbtrafficpolicy gateway.networking.x-k8s.io/v1alpha1 true XBackendTrafficPolicy
xlistenersets lset gateway.networking.x-k8s.io/v1alpha1 true XListenerSet
2w git:(main*) $ kubectl explain gatewayclasses.gateway.networking.k8s.io.spec
GROUP: gateway.networking.k8s.io
KIND: GatewayClass
VERSION: v1
FIELD: spec <Object>
DESCRIPTION:
Spec defines the desired state of GatewayClass.
FIELDS:
controllerName <string> -required-
ControllerName is the name of the controller that is managing Gateways of
this class. The value of this field MUST be a domain prefixed path.
Example: "example.net/gateway-controller".
This field is not mutable and cannot be empty.
Support: Core
description <string>
Description helps describe a GatewayClass with more details.
parametersRef <Object>
ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the GatewayClass. This is optional if the
controller does not require any additional configuration.
ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
or an implementation-specific custom resource. The resource can be
cluster-scoped or namespace-scoped.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the GatewayClass SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
A Gateway for this GatewayClass may provide its own `parametersRef`. When
both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be
overridden by a Gateway.
Support: Implementation-specific
2w git:(main*) $ kubectl explain gatewayclasses.gateway.networking.k8s.io.spec.parametersRef
GROUP: gateway.networking.k8s.io
KIND: GatewayClass
VERSION: v1
FIELD: parametersRef <Object>
DESCRIPTION:
ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the GatewayClass. This is optional if the
controller does not require any additional configuration.
ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
or an implementation-specific custom resource. The resource can be
cluster-scoped or namespace-scoped.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the GatewayClass SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
A Gateway for this GatewayClass may provide its own `parametersRef`. When
both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be
overridden by a Gateway.
Support: Implementation-specific
FIELDS:
group <string> -required-
Group is the group of the referent.
kind <string> -required-
Kind is kind of the referent.
name <string> -required-
Name is the name of the referent.
namespace <string>
Namespace is the namespace of the referent.
This field is required when referring to a Namespace-scoped resource and
MUST be unset when referring to a Cluster-scoped resource.
# Installation of LBC Gateway API specific CRDs
2w git:(main*) $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
Warning: resource customresourcedefinitions/listenerruleconfigurations.gateway.k8s.aws is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/listenerruleconfigurations.gateway.k8s.aws configured
Warning: resource customresourcedefinitions/loadbalancerconfigurations.gateway.k8s.aws is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/loadbalancerconfigurations.gateway.k8s.aws configured
Warning: resource customresourcedefinitions/targetgroupconfigurations.gateway.k8s.aws is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/targetgroupconfigurations.gateway.k8s.aws configured
2w git:(main*) $ kubectl get crd | grep gateway.k8s.aws
listenerruleconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
loadbalancerconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
targetgroupconfigurations.gateway.k8s.aws 2026-03-25T11:26:10Z
2w git:(main*) $ kubectl api-resources | grep gateway.k8s.aws
listenerruleconfigurations gateway.k8s.aws/v1beta1 true ListenerRuleConfiguration
loadbalancerconfigurations gateway.k8s.aws/v1beta1 true LoadBalancerConfiguration
targetgroupconfigurations gateway.k8s.aws/v1beta1 true TargetGroupConfiguration gateway.k8s.aws/v1beta1 true TargetGroupConfiguration
LBC 에 Gateway API 활성화
# 설치 정보 확인
2w git:(main*) $ helm list -n kube-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
aws-load-balancer-controller kube-system 1 2026-03-25 20:26:10.501179 +0900 KST deployed aws-load-balancer-controller-3.1.0 v3.1.0
external-dns kube-system 1 2026-03-25 22:14:16.663819 +0900 KST deployed external-dns-1.20.0 0.20.0
2w git:(main*) $ helm get values -n kube-system aws-load-balancer-controller # helm values 에 Args 및 활성화 값이 현재는 없음
USER-SUPPLIED VALUES:
clusterName: myeks
serviceAccount:
create: false
name: aws-load-balancer-controller
2w git:(main*) $ kubectl describe deploy -n kube-system aws-load-balancer-controller | grep Args: -A2
Args:
--cluster-name=myeks
--ingress-class=alb
# 모니터링
kubectl get pod -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller --watch
# deployment 에 feature flag를 활성화 : By default, the LBC will not listen to Gateway API CRDs.
KUBE_EDITOR="nano" kubectl edit deploy -n kube-system aws-load-balancer-controller
...
- args:
- --cluster-name=myeks
- --ingress-class=alb
- --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true
...
# 확인
2w git:(main*) $ kubectl describe deploy -n kube-system aws-load-balancer-controller | grep Args: -A3
Args:
--cluster-name=myeks
--ingress-class=alb
--feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true
# loadbalancerconfigurations 생성
2w git:(main*) $ kubectl explain loadbalancerconfigurations.gateway.k8s.aws.spec.scheme
GROUP: gateway.k8s.aws
KIND: LoadBalancerConfiguration
VERSION: v1beta1
FIELD: scheme <string>
ENUM:
internal
internet-facing
DESCRIPTION:
scheme defines the type of LB to provision. If unspecified, it will be
automatically inferred.
#
2w git:(main*) $ cat << EOF | kubectl apply -f -
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: lbc-config
namespace: default
spec:
scheme: internet-facing
EOF
loadbalancerconfiguration.gateway.k8s.aws/lbc-config created
# 확인
2w git:(main*) $ kubectl get loadbalancerconfiguration -owide
NAME AGE
lbc-config 3s
gatewayclasses
# gatewayclasses 생성
2w git:(main*) $ kubectl explain gatewayclasses.spec
GROUP: gateway.networking.k8s.io
KIND: GatewayClass
VERSION: v1
FIELD: spec <Object>
DESCRIPTION:
Spec defines the desired state of GatewayClass.
FIELDS:
controllerName <string> -required-
ControllerName is the name of the controller that is managing Gateways of
this class. The value of this field MUST be a domain prefixed path.
Example: "example.net/gateway-controller".
This field is not mutable and cannot be empty.
Support: Core
description <string>
Description helps describe a GatewayClass with more details.
parametersRef <Object>
ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the GatewayClass. This is optional if the
controller does not require any additional configuration.
ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
or an implementation-specific custom resource. The resource can be
cluster-scoped or namespace-scoped.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the GatewayClass SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
A Gateway for this GatewayClass may provide its own `parametersRef`. When
both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be
overridden by a Gateway.
Support: Implementation-specific
2w git:(main*) $ kubectl explain gatewayclasses.spec.parametersRef
GROUP: gateway.networking.k8s.io
KIND: GatewayClass
VERSION: v1
FIELD: parametersRef <Object>
DESCRIPTION:
ParametersRef is a reference to a resource that contains the configuration
parameters corresponding to the GatewayClass. This is optional if the
controller does not require any additional configuration.
ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
or an implementation-specific custom resource. The resource can be
cluster-scoped or namespace-scoped.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the GatewayClass SHOULD be
rejected with the "Accepted" status condition set to "False" and an
"InvalidParameters" reason.
A Gateway for this GatewayClass may provide its own `parametersRef`. When
both are specified,
the merging behavior is implementation specific.
It is generally recommended that GatewayClass provides defaults that can be
overridden by a Gateway.
Support: Implementation-specific
FIELDS:
group <string> -required-
Group is the group of the referent.
kind <string> -required-
Kind is kind of the referent.
name <string> -required-
Name is the name of the referent.
namespace <string>
Namespace is the namespace of the referent.
This field is required when referring to a Namespace-scoped resource and
MUST be unset when referring to a Cluster-scoped resource.
#
2w git:(main*) $ cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: aws-alb
spec:
controllerName: gateway.k8s.aws/alb
parametersRef:
group: gateway.k8s.aws
kind: LoadBalancerConfiguration
name: lbc-config
namespace: default
EOF
gatewayclass.gateway.networking.k8s.io/aws-alb created
2w git:(main*) $ kubectl get gatewayclasses -o wide # k get gc
NAME CONTROLLER ACCEPTED AGE DESCRIPTION
aws-alb gateway.k8s.aws/alb True 5s
gateway
# gateways 생성
2w git:(main*) $ kubectl explain gateways.spec
cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: alb-http
spec:
gatewayClassName: aws-alb
listeners:
- name: http
protocol: HTTP
port: 80
EOF
GROUP: gateway.networking.k8s.io
KIND: Gateway
VERSION: v1
FIELD: spec <Object>
DESCRIPTION:
Spec defines the desired state of Gateway.
FIELDS:
addresses <[]Object>
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
indicate this in the associated entry in GatewayStatus.Addresses.
The Addresses field represents a request for the address(es) on the
"outside of the Gateway", that traffic bound for this Gateway will use.
This could be the IP address or hostname of an external load balancer or
other networking infrastructure, or some other address that traffic will
be sent to.
If no Addresses are specified, the implementation MAY schedule the
Gateway in an implementation-specific manner, assigning an appropriate
set of Addresses.
The implementation MUST bind all Listeners to every GatewayAddress that
it assigns to the Gateway and add a corresponding entry in
GatewayStatus.Addresses.
Support: Extended
allowedListeners <Object>
AllowedListeners defines which ListenerSets can be attached to this Gateway.
While this feature is experimental, the default value is to allow no
ListenerSets.
backendTLS <Object>
BackendTLS configures TLS settings for when this Gateway is connecting to
backends with TLS.
Support: Core
gatewayClassName <string> -required-
GatewayClassName used for this Gateway. This is the name of a
GatewayClass resource.
infrastructure <Object>
Infrastructure defines infrastructure level attributes about this Gateway
instance.
Support: Extended
listeners <[]Object> -required-
Listeners associated with this Gateway. Listeners define
logical endpoints that are bound on this Gateway's addresses.
At least one Listener MUST be specified.
## Distinct Listeners
Each Listener in a set of Listeners (for example, in a single Gateway)
MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
exactly one listener. (This section uses "set of Listeners" rather than
"Listeners in a single Gateway" because implementations MAY merge
configuration
from multiple Gateways onto a single data plane, and these rules _also_
apply in that case).
Practically, this means that each listener in a set MUST have a unique
combination of Port, Protocol, and, if supported by the protocol, Hostname.
Some combinations of port, protocol, and TLS settings are considered
Core support and MUST be supported by implementations based on the objects
they support:
HTTPRoute
1. HTTPRoute, Port: 80, Protocol: HTTP
2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair
provided
TLSRoute
1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
"Distinct" Listeners have the following property:
**The implementation can match inbound requests to a single distinct
Listener**.
When multiple Listeners share values for fields (for
example, two Listeners with the same Port value), the implementation
can match requests to only one of the Listeners using other
Listener fields.
When multiple listeners have the same value for the Protocol field, then
each of the Listeners with matching Protocol values MUST have different
values for other fields.
The set of fields that MUST be different for a Listener differs per
protocol.
The following rules define the rules for what fields MUST be considered for
Listeners to be distinct with each protocol currently defined in the
Gateway API spec.
The set of listeners that all share a protocol value MUST have _different_
values for _at least one_ of these fields to be distinct:
* **HTTP, HTTPS, TLS**: Port, Hostname
* **TCP, UDP**: Port
One **very** important rule to call out involves what happens when an
implementation:
* Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
Listeners, and
* sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
Protocol.
In this case all the Listeners that share a port with the
TCP Listener are not distinct and so MUST NOT be accepted.
If an implementation does not support TCP Protocol Listeners, then the
previous rule does not apply, and the TCP Listeners SHOULD NOT be
accepted.
Note that the `tls` field is not used for determining if a listener is
distinct, because
Listeners that _only_ differ on TLS config will still conflict in all cases.
### Listeners that are distinct only by Hostname
When the Listeners are distinct based only on Hostname, inbound request
hostnames MUST match from the most specific to least specific Hostname
values to choose the correct Listener and its associated set of Routes.
Exact matches MUST be processed before wildcard matches, and wildcard
matches MUST be processed before fallback (empty Hostname value)
matches. For example, `"foo.example.com"` takes precedence over
`"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
Additionally, if there are multiple wildcard entries, more specific
wildcard entries must be processed before less specific wildcard entries.
For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
The precise definition here is that the higher the number of dots in the
hostname to the right of the wildcard character, the higher the precedence.
The wildcard character will match any number of characters _and dots_ to
the left, however, so `"*.example.com"` will match both
`"foo.bar.example.com"` _and_ `"bar.example.com"`.
## Handling indistinct Listeners
If a set of Listeners contains Listeners that are not distinct, then those
Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
condition in the Listener Status to "True".
The words "indistinct" and "conflicted" are considered equivalent for the
purpose of this documentation.
Implementations MAY choose to accept a Gateway with some Conflicted
Listeners only if they only accept the partial Listener set that contains
no Conflicted Listeners.
Specifically, an implementation MAY accept a partial Listener set subject to
the following rules:
* The implementation MUST NOT pick one conflicting Listener as the winner.
ALL indistinct Listeners must not be accepted for processing.
* At least one distinct Listener MUST be present, or else the Gateway
effectively
contains _no_ Listeners, and must be rejected from processing as a whole.
The implementation MUST set a "ListenersNotValid" condition on the
Gateway Status when the Gateway contains Conflicted Listeners whether or
not they accept the Gateway. That Condition SHOULD clearly
indicate in the Message which Listeners are conflicted, and which are
Accepted. Additionally, the Listener status for those listeners SHOULD
indicate which Listeners are conflicted and not Accepted.
## General Listener behavior
Note that, for all distinct Listeners, requests SHOULD match at most one
Listener.
For example, if Listeners are defined for "foo.example.com" and
"*.example.com", a
request to "foo.example.com" SHOULD only be routed using routes attached
to the "foo.example.com" Listener (and not the "*.example.com" Listener).
This concept is known as "Listener Isolation", and it is an Extended feature
of Gateway API. Implementations that do not support Listener Isolation MUST
clearly document this, and MUST NOT claim support for the
`GatewayHTTPListenerIsolation` feature.
Implementations that _do_ support Listener Isolation SHOULD claim support
for the Extended `GatewayHTTPListenerIsolation` feature and pass the
associated
conformance tests.
## Compatible Listeners
A Gateway's Listeners are considered _compatible_ if:
1. They are distinct.
2. The implementation can serve them in compliance with the Addresses
requirement that all Listeners are available on all assigned
addresses.
Compatible combinations in Extended support are expected to vary across
implementations. A combination that is compatible for one implementation
may not be compatible for another.
For example, an implementation that cannot serve both TCP and UDP listeners
on the same address, or cannot mix HTTPS and generic TLS listens on the same
port
would not consider those cases compatible, even though they are distinct.
Implementations MAY merge separate Gateways onto a single set of
Addresses if all Listeners across all Gateways are compatible.
In a future release the MinItems=1 requirement MAY be dropped.
Support: Core
gateway.gateway.networking.k8s.io/alb-http created
# gateways 확인 : 약어 gtw
2w git:(main*) $ kubectl get gateways # k get gtw
NAME CLASS ADDRESS PROGRAMMED AGE
alb-http aws-alb k8s-default-albhttp-bc3439871e-332515140.ap-northeast-2.elb.amazonaws.com Unknown 95s
# ALB 생성 확인
2w git:(main*) $ aws elbv2 describe-load-balancers | jq
{
"LoadBalancers": [
{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:ap-northeast-2:123123123:loadbalancer/app/k8s-default-albhttp-bc3439871e/d0665c603e6ccfa3",
"DNSName": "k8s-default-albhttp-bc3439871e-332515140.ap-northeast-2.elb.amazonaws.com",
"CanonicalHostedZoneId": "ZWKZPGTI48KDX",
"CreatedTime": "2026-03-25T14:26:40.040000+00:00",
"LoadBalancerName": "k8s-default-albhttp-bc3439871e",
"Scheme": "internet-facing",
"VpcId": "vpc-0cb1f9404c6c5d26f",
"State": {
"Code": "provisioning"
},
"Type": "application",
"AvailabilityZones": [
{
"ZoneName": "ap-northeast-2b",
"SubnetId": "subnet-068b3b8d6bbcb22c7",
"LoadBalancerAddresses": []
},
{
"ZoneName": "ap-northeast-2c",
"SubnetId": "subnet-070926d7fca763aed",
"LoadBalancerAddresses": []
},
{
"ZoneName": "ap-northeast-2a",
"SubnetId": "subnet-0b8cdb569550ef75c",
"LoadBalancerAddresses": []
}
],
"SecurityGroups": [
"sg-0483ce2ef76d4a2dc",
"sg-0e07085b19b5af3f6"
],
"IpAddressType": "ipv4"
}
]
}
# 로그 모니터링 결과
kubectl logs -l app.kubernetes.io/name=aws-load-balancer-controller -n kube-system -f
(상위 생략)
ersion":"44962","generation":1,"creationTimestamp":"2026-03-25T14:26:36Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"name\":\"alb-http\",\"namespace\":\"default\"},\"spec\":{\"gatewayClassName\":\"aws-alb\",\"listeners\":[{\"name\":\"http\",\"port\":80,\"protocol\":\"HTTP\"}]}}\n"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:36Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:gatewayClassName":{},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:allowedRoutes":{".":{},"f:namespaces":{".":{},"f:from":{}}},"f:name":{},"f:port":{},"f:protocol":{}}}}}}]},"spec":{"gatewayClassName":"aws-alb","listeners":[{"name":"http","port":80,"protocol":"HTTP","allowedRoutes":{"namespaces":{"from":"Same"}}}]},"status":{"conditions":[{"type":"Accepted","status":"Unknown","lastTransitionTime":"1970-01-01T00:00:00Z","reason":"Pending","message":"Waiting for controller"},{"type":"Programmed","status":"Unknown","lastTransitionTime":"1970-01-01T00:00:00Z","reason":"Pending","message":"Waiting for controller"}]}}}
{"level":"info","ts":"2026-03-25T14:26:37Z","logger":"backend-sg-provider","msg":"created SecurityGroup","name":"k8s-traffic-myeks-34dc390c32","id":"sg-0483ce2ef76d4a2dc"}
{"level":"info","ts":"2026-03-25T14:26:37Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0483ce2ef76d4a2dc"],"backend SG":"sg-0483ce2ef76d4a2dc"}
{"level":"info","ts":"2026-03-25T14:26:37Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully built model","model":"{\"id\":\"default/alb-http\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-default-albhttp-402c89dc74\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-default-albhttp-bc3439871e\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-068b3b8d6bbcb22c7\"},{\"subnetID\":\"subnet-070926d7fca763aed\"},{\"subnetID\":\"subnet-0b8cdb569550ef75c\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0483ce2ef76d4a2dc\"]}}},\"FrontendNLBTargetGroup\":{\"FrontendNLBTargetGroup\":{\"TargetGroups\":{}}}}}"}
"level":"info","ts":"2026-03-25T14:26:38Z","logger":"controllers.gateway.k8s.aws/alb","msg":"creating securityGroup","resourceID":"ManagedLBSecurityGroup"}
{"level":"info","ts":"2026-03-25T14:26:38Z","logger":"controllers.gateway.k8s.aws/alb","msg":"created securityGroup","resourceID":"ManagedLBSecurityGroup","securityGroupID":"sg-0e07085b19b5af3f6"}
{"level":"info","ts":"2026-03-25T14:26:38Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0e07085b19b5af3f6","permission":[{"FromPort":80,"IpProtocol":"tcp","IpRanges":[{"CidrIp":"0.0.0.0/0","Description":""}],"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":80,"UserIdGroupPairs":null}]}
{"level":"info","ts":"2026-03-25T14:26:39Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0e07085b19b5af3f6"}
{"level":"info","ts":"2026-03-25T14:26:39Z","logger":"controllers.gateway.k8s.aws/alb","msg":"creating loadBalancer","stackID":"default/alb-http","resourceID":"LoadBalancer"}
{"level":"info","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"created loadBalancer","stackID":"default/alb-http","resourceID":"LoadBalancer","arn":"arn:aws:elasticloadbalancing:ap-northeast-2:143649248460:loadbalancer/app/k8s-default-albhttp-bc3439871e/d0665c603e6ccfa3"}
{"level":"info","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully deployed model","gateway":{"name":"alb-http","namespace":"default"}}
{"level":"error","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Failed to process gateway update","gw":{"name":"alb-http","namespace":"default"},"error":"requeue needed after 2m0s: Monitoring provisioning state"}
{"level":"info","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Got request for reconcile","gw":{"kind":"Gateway","apiVersion":"gateway.networking.k8s.io/v1","metadata":{"name":"alb-http","namespace":"default","uid":"2edb037a-ea9b-47cc-bb03-8a2c4de0f4b2","resourceVersion":"44978","generation":1,"creationTimestamp":"2026-03-25T14:26:36Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"name\":\"alb-http\",\"namespace\":\"default\"},\"spec\":{\"gatewayClassName\":\"aws-alb\",\"listeners\":[{\"name\":\"http\",\"port\":80,\"protocol\":\"HTTP\"}]}}\n"},"finalizers":["gateway.k8s.aws/alb"],"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:36Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:gatewayClassName":{},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:allowedRoutes":{".":{},"f:namespaces":{".":{},"f:from":{}}},"f:name":{},"f:port":{},"f:protocol":{}}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:37Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"gateway.k8s.aws/alb\"":{}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:40Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:addresses":{},"f:conditions":{"k:{\"type\":\"Accepted\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}},"k:{\"type\":\"Programmed\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{}}},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:attachedRoutes":{},"f:conditions":{".":{},"k:{\"type\":\"Accepted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Conflicted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Programmed\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"ResolvedRefs\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:name":{},"f:supportedKinds":{}}}}},"subresource":"status"}]},"spec":{"gatewayClassName":"aws-alb","listeners":[{"name":"http","port":80,"protocol":"HTTP","allowedRoutes":{"namespaces":{"from":"Same"}}}]},"status":{"addresses":[{"type":"Hostname","value":"k8s-default-albhttp-bc3439871e-332515140.ap-northeast-2.elb.amazonaws.com"}],"conditions":[{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Accepted","message":""},{"type":"Programmed","status":"Unknown","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Pending","message":"Waiting for load balancer to be active."}],"listeners":[{"name":"http","supportedKinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"}],"attachedRoutes":0,"conditions":[{"type":"Conflicted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"NoConflicts","message":"Listener has no conflict."},{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Accepted","message":"Listener is accepted."},{"type":"ResolvedRefs","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"ResolvedRefs","message":"Listener has all refs resolved."},{"type":"Programmed","status":"False","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Pending","message":"Listener is pending to be programmed."}]}]}}}
{"level":"info","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0483ce2ef76d4a2dc"],"backend SG":"sg-0483ce2ef76d4a2dc"}
{"level":"info","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully built model","model":"{\"id\":\"default/alb-http\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-default-albhttp-402c89dc74\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-default-albhttp-bc3439871e\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-068b3b8d6bbcb22c7\"},{\"subnetID\":\"subnet-070926d7fca763aed\"},{\"subnetID\":\"subnet-0b8cdb569550ef75c\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0483ce2ef76d4a2dc\"]}}},\"FrontendNLBTargetGroup\":{\"FrontendNLBTargetGroup\":{\"TargetGroups\":{}}}}}"}
{"level":"error","ts":"2026-03-25T14:26:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Failed to process gateway update","gw":{"name":"alb-http","namespace":"default"},"error":"requeue needed after 2m0s: monitor provisioning state for load balancer: k8s-default-albhttp-bc3439871e"}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Got request for reconcile","gw":{"kind":"Gateway","apiVersion":"gateway.networking.k8s.io/v1","metadata":{"name":"alb-http","namespace":"default","uid":"2edb037a-ea9b-47cc-bb03-8a2c4de0f4b2","resourceVersion":"44978","generation":1,"creationTimestamp":"2026-03-25T14:26:36Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"name\":\"alb-http\",\"namespace\":\"default\"},\"spec\":{\"gatewayClassName\":\"aws-alb\",\"listeners\":[{\"name\":\"http\",\"port\":80,\"protocol\":\"HTTP\"}]}}\n"},"finalizers":["gateway.k8s.aws/alb"],"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:36Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:gatewayClassName":{},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:allowedRoutes":{".":{},"f:namespaces":{".":{},"f:from":{}}},"f:name":{},"f:port":{},"f:protocol":{}}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:37Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"gateway.k8s.aws/alb\"":{}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:40Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:addresses":{},"f:conditions":{"k:{\"type\":\"Accepted\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}},"k:{\"type\":\"Programmed\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{}}},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:attachedRoutes":{},"f:conditions":{".":{},"k:{\"type\":\"Accepted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Conflicted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Programmed\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"ResolvedRefs\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:name":{},"f:supportedKinds":{}}}}},"subresource":"status"}]},"spec":{"gatewayClassName":"aws-alb","listeners":[{"name":"http","port":80,"protocol":"HTTP","allowedRoutes":{"namespaces":{"from":"Same"}}}]},"status":{"addresses":[{"type":"Hostname","value":"k8s-default-albhttp-bc3439871e-332515140.ap-northeast-2.elb.amazonaws.com"}],"conditions":[{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Accepted","message":""},{"type":"Programmed","status":"Unknown","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Pending","message":"Waiting for load balancer to be active."}],"listeners":[{"name":"http","supportedKinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"}],"attachedRoutes":0,"conditions":[{"type":"Conflicted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"NoConflicts","message":"Listener has no conflict."},{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Accepted","message":"Listener is accepted."},{"type":"ResolvedRefs","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"ResolvedRefs","message":"Listener has all refs resolved."},{"type":"Programmed","status":"False","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Pending","message":"Listener is pending to be programmed."}]}]}}}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0483ce2ef76d4a2dc"],"backend SG":"sg-0483ce2ef76d4a2dc"}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully built model","model":"{\"id\":\"default/alb-http\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-default-albhttp-402c89dc74\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-default-albhttp-bc3439871e\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-068b3b8d6bbcb22c7\"},{\"subnetID\":\"subnet-070926d7fca763aed\"},{\"subnetID\":\"subnet-0b8cdb569550ef75c\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0483ce2ef76d4a2dc\"]}}},\"FrontendNLBTargetGroup\":{\"FrontendNLBTargetGroup\":{\"TargetGroups\":{}}}}}"}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully deployed model","gateway":{"name":"alb-http","namespace":"default"}}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Got request for reconcile","gw":{"kind":"Gateway","apiVersion":"gateway.networking.k8s.io/v1","metadata":{"name":"alb-http","namespace":"default","uid":"2edb037a-ea9b-47cc-bb03-8a2c4de0f4b2","resourceVersion":"45385","generation":1,"creationTimestamp":"2026-03-25T14:26:36Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"name\":\"alb-http\",\"namespace\":\"default\"},\"spec\":{\"gatewayClassName\":\"aws-alb\",\"listeners\":[{\"name\":\"http\",\"port\":80,\"protocol\":\"HTTP\"}]}}\n"},"finalizers":["gateway.k8s.aws/alb"],"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:36Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:gatewayClassName":{},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:allowedRoutes":{".":{},"f:namespaces":{".":{},"f:from":{}}},"f:name":{},"f:port":{},"f:protocol":{}}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:26:37Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"gateway.k8s.aws/alb\"":{}}}}},{"manager":"controller","operation":"Update","apiVersion":"gateway.networking.k8s.io/v1","time":"2026-03-25T14:28:40Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:addresses":{},"f:conditions":{"k:{\"type\":\"Accepted\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}},"k:{\"type\":\"Programmed\"}":{"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{}}},"f:listeners":{".":{},"k:{\"name\":\"http\"}":{".":{},"f:attachedRoutes":{},"f:conditions":{".":{},"k:{\"type\":\"Accepted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Conflicted\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Programmed\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"ResolvedRefs\"}":{".":{},"f:lastTransitionTime":{},"f:message":{},"f:observedGeneration":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:name":{},"f:supportedKinds":{}}}}},"subresource":"status"}]},"spec":{"gatewayClassName":"aws-alb","listeners":[{"name":"http","port":80,"protocol":"HTTP","allowedRoutes":{"namespaces":{"from":"Same"}}}]},"status":{"addresses":[{"type":"Hostname","value":"k8s-default-albhttp-bc3439871e-332515140.ap-northeast-2.elb.amazonaws.com"}],"conditions":[{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:26:40Z","reason":"Accepted","message":""},{"type":"Programmed","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:28:40Z","reason":"Programmed","message":"arn:aws:elasticloadbalancing:ap-northeast-2:143649248460:loadbalancer/app/k8s-default-albhttp-bc3439871e/d0665c603e6ccfa3"}],"listeners":[{"name":"http","supportedKinds":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute"}],"attachedRoutes":0,"conditions":[{"type":"Accepted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:28:40Z","reason":"Accepted","message":"Listener is accepted."},{"type":"Conflicted","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:28:40Z","reason":"NoConflicts","message":"Listener has no conflict."},{"type":"Programmed","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:28:40Z","reason":"Programmed","message":"Listener is programmed."},{"type":"ResolvedRefs","status":"True","observedGeneration":1,"lastTransitionTime":"2026-03-25T14:28:40Z","reason":"ResolvedRefs","message":"Listener has all refs resolved."}]}]}}}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0483ce2ef76d4a2dc"],"backend SG":"sg-0483ce2ef76d4a2dc"}
{"level":"info","ts":"2026-03-25T14:28:40Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully built model","model":"{\"id\":\"default/alb-http\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-default-albhttp-402c89dc74\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-default-albhttp-bc3439871e\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-068b3b8d6bbcb22c7\"},{\"subnetID\":\"subnet-070926d7fca763aed\"},{\"subnetID\":\"subnet-0b8cdb569550ef75c\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0483ce2ef76d4a2dc\"]}}},\"FrontendNLBTargetGroup\":{\"FrontendNLBTargetGroup\":{\"TargetGroups\":{}}}}}"}
{"level":"info","ts":"2026-03-25T14:28:41Z","logger":"controllers.gateway.k8s.aws/alb","msg":"successfully deployed model","gateway":{"name":"alb-http","namespace":"default"}}
샘플 애플리케이션 배포
# 게임 파드와 Service 배포
2w git:(main*) $
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-2048
spec:
selector:
matchLabels:
app.kubernetes.io/name: app-2048
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: app-2048
spec:
containers:
- image: public.ecr.aws/l6m2t8p7/docker-2048:latest
imagePullPolicy: Always
name: app-2048
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: service-2048
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
type: ClusterIP
selector:
app.kubernetes.io/name: app-2048
EOF
deployment.apps/deployment-2048 created
service/service-2048 created
# 모니터링 확인
2w git:(main*) $ watch -d kubectl get pod,ingress,svc,ep,endpointslices
NAME READY STATUS RESTARTS AGE
pod/deployment-2048-7bf64bccb7-7mpj9 1/1 Running 0 25s
pod/deployment-2048-7bf64bccb7-z27f4 1/1 Running 0 25s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 3h53m
service/service-2048 ClusterIP 10.100.103.12 <none> 80/TCP 25s
NAME ENDPOINTS AGE
endpoints/kubernetes 192.168.0.98:443,192.168.9.3:443 3h53m
endpoints/service-2048 192.168.2.104:80,192.168.6.142:80 25s
NAME ADDRESSTYPE PORTS ENDPOINTS AGE
endpointslice.discovery.k8s.io/kubernetes IPv4 443 192.168.0.98,192.168.9.3 3h53m
endpointslice.discovery.k8s.io/service-2048-ldmwj IPv4 80 192.168.2.104,192.168.6.142 25s
# TargetGroupConfiguration 생성
kubectl explain httproutes.gateway.k8s.aws.spec
kubectl explain targetgroupconfigurations.gateway.k8s.aws.spec.defaultConfiguration
2w git:(main*) $ cat << EOF | kubectl apply -f -
apiVersion: gateway.k8s.aws/v1beta1
kind: TargetGroupConfiguration
metadata:
name: backend-tg-config
spec:
targetReference:
name: service-2048
defaultConfiguration:
targetType: ip
protocol: HTTP
EOF
targetgroupconfiguration.gateway.k8s.aws/backend-tg-config created
# 확인
2w git:(main*) $ kubectl get targetgroupconfigurations -owide
NAME SERVICE-NAME AGE
backend-tg-config service-2048 10s
httproute
# 서비스 도메인명 변수 지정
GWMYDOMAIN=<각자 자신의 도메인명>
GWMYDOMAIN=gwapi.test.com
# httproute 생성
kubectl explain httproutes.spec
kubectl explain httproutes.spec.parentRefs
kubectl explain httproutes.spec.hostnames
kubectl explain httproutes.spec.rules
2w git:(main*) $ cat << EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: alb-http-route
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: alb-http
sectionName: http
hostnames:
- $GWMYDOMAIN
rules:
- backendRefs:
- name: service-2048
port: 80
EOF
httproute.gateway.networking.k8s.io/alb-http-route created
# 확인
2w git:(main*) $ kubectl get httproute
NAME HOSTNAMES AGE
alb-http-route ["gwapi.test.com"] 17s
# ALB 확인
aws elbv2 describe-load-balancers | jq
aws elbv2 describe-target-groups | jq
접속 테스트
# 확인
2w git:(main*) $ dig +short $GWMYDOMAIN @8.8.8.8
15.165.83.216
43.200.27.150
3.36.182.212
2w git:(main*) $ dig +short $GWMYDOMAIN
15.165.83.216
3.36.182.212
43.200.27.150
# 도메인 체크
echo -e "My Domain Checker Site1 = https://www.whatsmydns.net/#A/$GWMYDOMAIN"
echo -e "My Domain Checker Site2 = https://dnschecker.org/#A/$GWMYDOMAIN"
# 웹 접속 주소 확인 및 접속
echo -e "GW Api Sample URL = http://$GWMYDOMAIN"
