2026-05-21

Kubernetes In Anger

NOTE: Any discussions can be had on Lobsters

0. Quick start (emergency edition)

Is this the right guide?

YES, if:

• You’re debugging a live EKS production issue
• You need to upgrade/change EKS safely
• You want to prevent common EKS outages
• You’re oncall for EKS workloads

NO, if:

• You’re learning Kubernetes basics (try the official tutorials first)
• You need EKS setup instructions (use AWS documentation)
• You want comprehensive Kubernetes reference (use kubernetes.io)

Emergency shortcuts

Cluster is on fire right now? → Jump to Section 2.10 Tier-0 Incident Playbook

Need to upgrade safely? → Jump to Section 8 Upgrades and maintenance

Investigating an incident? → Start with Section 1.2 Quick Cluster Health Snapshot

Prerequisites

This guide assumes you know:

• Basic kubectl commands (get, describe, logs)
• AWS CLI basics
• What pods, services, and deployments are
• How to read YAML manifests

What makes EKS different

EKS is not “just Kubernetes”. Key differences that affect reliability:

• Pods get real VPC IPs (AWS VPC CNI)
• AWS services become dependencies (NAT, NLB, EBS)
• Node limits are AWS EC2 limits
• Networking failures look like application failures
• Upgrades affect multiple AWS components

Introduction

On running infrastructure

There’s a common way of thinking about Kubernetes that goes something like this: you declare what you want, the system converges toward it, and your job is mostly done. Write the YAML, apply it, the scheduler places your pods, the controllers reconcile state, and everything just works.

This is roughly true until it isn’t.

The thing about Kubernetes — and EKS specifically — is that it doesn’t fail like a monolith fails. A monolith crashes and you know it. EKS degrades. DNS gets slow. A node hits a network limit you didn’t know existed. Pods keep running but their connections reset every 6 minutes. The dashboard is green. Customers are complaining. You’re staring at healthy pods wondering what’s wrong with your application, when the real problem is three layers down in a conntrack table or a subnet that ran out of IPs.

Most other platforms fail at the boundary between your code and the infrastructure. EKS fails inside the infrastructure, in ways that look like your code is broken. This is the fundamental debugging challenge: the symptom is always “the app is slow” or “requests are failing”, and the cause is somewhere in a stack of networking, scheduling, storage, and AWS service interactions that your application has no visibility into.

This matters because the instinct — “my app is returning 5xx, let me look at my app” — is wrong most of the time in EKS. The 5xx is real. But the fix is often in a probe configuration, a security group limit, a DNS resolver being overwhelmed, or a node that silently filled its conntrack table.

The two jobs

If you run EKS in production, you have two jobs:

The first is building workloads that survive the platform misbehaving. Probes that don’t cascade. Graceful shutdowns that actually drain. Pod distributions that tolerate losing a node or an AZ without paging anyone. This is the preventive work — the engineering equivalent of washing your hands.

The second is diagnosing live systems when things go wrong anyway. Connecting to a cluster that’s on fire, figuring out what’s actually broken vs what’s just symptomatic, collecting evidence before it disappears, and fixing the right thing without making the incident worse. This is the equivalent of surgery — you’re operating on a patient that’s still awake and serving traffic.

Both matter. Most guides only cover the first one.

This guide is about both. It’s a collection of patterns, failure modes, and diagnostic workflows that came from running EKS in production — the things that caused real incidents, the things that made debugging take hours instead of minutes, and the guardrails that prevented repeat occurrences.

Who is this for?

This guide is not for beginners. There’s a gap between knowing Kubernetes concepts (pods, deployments, services, kubectl) and actually being able to keep an EKS cluster healthy in production. There’s a fumbling phase where you’ve read the docs, passed the certification maybe, deployed some workloads — and then something breaks at 2am and you realize you don’t know where to look or what’s safe to touch.

This assumes you know the basics. It does not assume you know how to debug a cluster that’s misbehaving, how EKS-specific failure modes differ from generic Kubernetes ones, or what the safe sequence of actions is when you’re staring at a production incident.

What you won’t find here: how to set up EKS, what a pod is, or how to write a Deployment manifest. What you will find: what to do when pods are Pending and you don’t know why, how to tell if DNS is the problem or just a symptom, why your NLB keeps resetting connections, and how to collect evidence before the cluster auto-heals and destroys your ability to do an RCA.

How to read this guide

The guide is organized by domain — networking, storage, security, observability, scaling, upgrades, and so on. Each section mixes both jobs: how to build it right, and how to debug it when it breaks. You’ll find design patterns and diagnostic runbooks side by side, because in practice you need both at the same time.

You can read it front-to-back if you’re setting up a new cluster or onboarding to an existing one. Or you can jump to the relevant section when something breaks — each one is self-contained enough to be useful on its own.

If the cluster is on fire right now, start at Section 1. It gives you a triage sequence to identify the failure domain in under 2 minutes.

1. How to dive into an EKS cluster

When production is broken the first job is to mitigate — stop the bleeding, restore service, reduce blast radius. But you can’t mitigate effectively if you don’t know what’s broken. Rollback the wrong thing and you’ve wasted 10 minutes. Upsize the wrong component and nothing changes.

So the actual first job is: figure out where the problem is, fast enough that you can pick the right mitigation within 2 minutes. Not root cause — just failure domain:

• One pod?
• One deployment / namespace?
• One node group / AZ?
• The entire cluster?
• AWS integration (CNI / LB / EBS)?
• An upstream dependency (RDS, Redis, external APIs)?

Once you know the failure domain, you mitigate (rollback, drain, upsize, block). Root cause comes after the incident is contained.

What follows is a reliable entry sequence to get that signal fast, without guessing.

1.1 Establish Context (don’t debug the wrong cluster)

Before anything else, confirm you’re looking at the right cluster and identity.

Commands

kubectl config current-context
kubectl cluster-info
aws sts get-caller-identity

What you’re checking

• You’re in the correct kubecontext (prod vs staging mistakes happen)
• You have valid AWS credentials
• The API server is reachable at all

If kubectl cluster-info is slow or timing out, that’s already a strong signal:

• API server under load
• auth problems
• network path issues from your machine (VPN / corp DNS / proxy)

1.2 Quick Cluster Health Snapshot (30 seconds)

This is the fastest “is the cluster sick?” view.

Commands

kubectl get nodes -o wide
kubectl get pods -A --field-selector=status.phase!=Running
kubectl get events -A --sort-by=.lastTimestamp | tail -n 50

What you’re checking

• Any nodes NotReady
• Any pods stuck in Pending, CrashLoopBackOff, ImagePullBackOff
• Events that scream the root cause:
  • FailedScheduling
  • FailedMount
  • Unhealthy (probe failures)
  • Back-off restarting failed container
  • FailedCreatePodSandBox (CNI problems)

This is where you decide:

• workload issue vs node issue vs cluster-wide issue

1.3 Confirm EKS System Components (the “platform basics”)

If system components are down, application debugging is mostly pointless.

Commands

kubectl get pods -n kube-system -o wide
kubectl get ds -n kube-system
kubectl get deploy -n kube-system

Focus on these in EKS

• coredns (cluster DNS)
• aws-node (AWS VPC CNI)
• kube-proxy (unless you’re on eBPF dataplane)
• ebs-csi-node / ebs-csi-controller (if you use EBS CSI)
• metrics-server (if HPA depends on it)

Red flags

• CoreDNS pods not ready → widespread service discovery failures
• aws-node not ready → pods can’t get IPs / networking breaks
• EBS CSI issues → StatefulSets fail to mount volumes

1.4 Decide: Is this a “Scheduling” Problem?

If pods are Pending, do this immediately.

Commands

kubectl get pods -A | grep -E "Pending|ContainerCreating"
kubectl describe pod -n <ns> <pod>

What you’re looking for in describe

• FailedScheduling
  • insufficient CPU/memory
  • taints not tolerated
  • affinity rules too strict
  • topology spread constraints blocking placement
• Insufficient pods / Too many pods
  • node has hit max pod density (ENI/IP limits)
• node(s) had volume node affinity conflict
  • common with EBS + AZ mismatch

If scheduling fails, do not restart the deployment blindly. It won’t help.

1.5 Decide: Is this a “Node” Problem?

If nodes are NotReady or workloads are failing on specific nodes, zoom in.

Commands

kubectl describe node <node-name>
kubectl top nodes
kubectl get pods -A -o wide | grep <node-name>

What to check on the node

• Conditions: MemoryPressure / DiskPressure / PIDPressure
• Allocatable vs Allocated resources
• Events mentioning:
  • kubelet issues
  • container runtime issues
  • frequent reboots
  • network plugin failures

In EKS, node failures often correlate with:

• EBS issues
• CNI/IP exhaustion
• disk full (especially on small root volumes)
• aggressive DaemonSets consuming resources

1.6 Decide: Is this a “Network / CNI” Problem?

EKS networking failures are often AWS VPC CNI related.

Symptoms

• Pods stuck at ContainerCreating
• FailedCreatePodSandBox
• random cross-service timeouts
• sudden increase in Pending pods (no IPs)

Commands

kubectl -n kube-system logs -l k8s-app=aws-node --tail=100
kubectl -n kube-system describe ds aws-node

Also check pod density

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.allocatable.pods}{"\n"}{end}'

If you’re hitting pod density/IP limits:

• scaling nodes may help
• but the real fix is often prefix delegation / node type sizing / ENI planning

1.7 Decide: Is this a “DNS / CoreDNS” Problem?

DNS issues can look like “application is broken”.

Symptoms

• timeouts to internal services
• failures resolving service names
• sudden spike in retries / connection errors

Commands

kubectl -n kube-system get pods -l k8s-app=kube-dns -o wide
kubectl -n kube-system logs -l k8s-app=kube-dns --tail=200

If CoreDNS is unhealthy:

• don’t waste time debugging app-level service discovery logic
• fix CoreDNS capacity / upstream resolver / node networking first

1.8 Decide: Is this a “Storage / EBS CSI” Problem?

Stateful workloads fail differently.

Symptoms

• pods stuck in ContainerCreating
• FailedMount
• volumes not attaching

Commands

kubectl describe pod -n <ns> <pod>
kubectl get pvc -A
kubectl -n kube-system get pods | grep ebs
kubectl -n kube-system logs deploy/ebs-csi-controller --tail=200

What you’re looking for

• volume attachment timeouts
• AZ mismatch
• stuck PV/PVC lifecycle
• CSI controller/node not healthy

1.9 Find the “Blast Radius” (what is actually impacted)

Before you attempt changes, quantify impact.

Commands

kubectl get pods -A | wc -l
kubectl get pods -A --field-selector=status.phase!=Running | head -n 50
kubectl get nodes | grep -v Ready

Interpretation

• If only one namespace is impacted → likely app or namespace-level dependency
• If one node group/AZ is impacted → capacity, subnet, EBS/AZ, or rollout targeting issue
• If kube-system is unhealthy → platform issue, stop chasing app symptoms

1.10 Evidence Collection (before you change anything)

Kubernetes evidence disappears fast (pods restart, nodes recycle, events roll over).

Capture minimal evidence first.

Commands

kubectl get events -A --sort-by=.lastTimestamp | tail -n 200 > events.txt
kubectl get nodes -o wide > nodes.txt
kubectl get pods -A -o wide > pods.txt

If it’s a single workload incident:

kubectl describe pod -n <ns> <pod> > pod.describe.txt
kubectl logs -n <ns> <pod> --previous > pod.prev.log.txt

This makes the RCA possible later, without relying on memory and guesswork.

1.11 Node-Specific Failures (Conntrack, Sysctls, and Kubelet Settings)

Some of the nastiest EKS incidents are node-local. The cluster looks “fine”, pods are “Running”, but traffic becomes unreliable, latency spikes, or connections fail randomly.

These issues often come from:

• conntrack exhaustion
• ephemeral port exhaustion
• kernel / sysctl defaults not sized for your traffic
• kubelet behaviour under pressure
• bad QoS due to incorrect requests/limits

1.11.1 Conntrack Exhaustion (classic “random networking failures”)

What it looks like

• intermittent timeouts to upstream services
• random 5xx at ingress / Envoy / Nginx
• “connection reset”, “i/o timeout”, “no route to host” type errors
• affects specific nodes more than others
• spikes during traffic bursts or connection-heavy workloads

Why it happens Linux conntrack tracks NAT and connection state. On busy nodes (especially with L7 proxies, service meshes, high churn, short-lived connections), conntrack tables fill up and the kernel starts dropping new connections.

Quick checks (from Kubernetes side)

1. Identify if failures correlate to a node:

kubectl get pods -A -o wide | grep <node-name>
kubectl describe node <node-name>

1. Check node-level kernel counters (best effort) If you have node access (SSM/SSH):

sudo sysctl net.netfilter.nf_conntrack_count
sudo sysctl net.netfilter.nf_conntrack_max
dmesg | egrep -i "conntrack|nf_conntrack"

Strong indicators

• nf_conntrack_count close to nf_conntrack_max
• kernel logs mentioning conntrack table full / dropped packets

Fix patterns

• Increase conntrack max (sysctl)
• Reduce connection churn (keep-alives, pooling)
• Spread load (more nodes / better pod distribution)
• Ensure nodes aren’t overloaded with too many L7-heavy pods

1.11.2 Ephemeral Port Exhaustion (the sneaky cousin)

What it looks like

• outbound calls failing from a node under burst load
• retries make it worse
• symptoms disappear when traffic drops

Quick checks On node:

cat /proc/sys/net/ipv4/ip_local_port_range
ss -s
ss -ant state time-wait | wc -l

Fix patterns

• widen ephemeral port range
• reduce TIME_WAIT pressure (carefully)
• enable connection reuse/keepalive at clients and proxies

1.12 Evidence Collection Automation

When production is broken, evidence disappears fast. Capture it first, debug second.

Quick evidence collection script

#!/bin/bash
# Save as: collect-evidence.sh
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
EVIDENCE_DIR="evidence-${TIMESTAMP}"
mkdir -p "$EVIDENCE_DIR"

echo "Collecting evidence to $EVIDENCE_DIR..."

# Cluster overview
kubectl get nodes -o wide > "$EVIDENCE_DIR/nodes.txt"
kubectl get pods -A -o wide > "$EVIDENCE_DIR/pods-all.txt"
kubectl get events -A --sort-by=.lastTimestamp > "$EVIDENCE_DIR/events-all.txt"

# Tier-0 components
kubectl -n kube-system get pods -o wide > "$EVIDENCE_DIR/kube-system-pods.txt"
kubectl -n kube-system describe pods > "$EVIDENCE_DIR/kube-system-describe.txt"

# Recent events (last 200)
kubectl get events -A --sort-by=.lastTimestamp | tail -n 200 > "$EVIDENCE_DIR/events-recent.txt"

# Unhealthy pods
kubectl get pods -A --field-selector=status.phase!=Running > "$EVIDENCE_DIR/unhealthy-pods.txt"

# Node conditions
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.conditions[?(@.type=="Ready")].status}{"\t"}{.status.conditions[?(@.type=="MemoryPressure")].status}{"\t"}{.status.conditions[?(@.type=="DiskPressure")].status}{"\n"}{end}' > "$EVIDENCE_DIR/node-conditions.txt"

echo "Evidence collected in $EVIDENCE_DIR"
echo "Attach this directory to your incident ticket"

What to capture for specific failure types

DNS/CoreDNS issues

kubectl -n kube-system logs -l k8s-app=kube-dns --tail=500 > coredns-logs.txt
kubectl -n kube-system get pods -l k8s-app=kube-dns -o yaml > coredns-pods.yaml

CNI/Networking issues

kubectl -n kube-system logs -l k8s-app=aws-node --tail=500 > aws-node-logs.txt
kubectl get pods -A -o wide | grep -E "ContainerCreating|Pending" > stuck-pods.txt

Node-specific issues

# Replace NODE_NAME with actual node
kubectl describe node NODE_NAME > node-describe.txt
kubectl get pods -A -o wide | grep NODE_NAME > node-pods.txt

1.13 Common False Positives

These look like EKS issues but usually aren’t:

“Kubernetes is slow” (but it’s not)

Symptoms:

• kubectl commands are slow
• Deployments take forever
• “Everything is sluggish”

Usually actually:

• Your laptop’s VPN/network to cluster
• AWS API throttling (too many concurrent kubectl users)
• Your kubeconfig pointing to wrong cluster/region

Quick check:

time kubectl get nodes
# Should complete in <2 seconds for healthy cluster

“Pods keep restarting” (but EKS is fine)

Symptoms:

• High restart count
• CrashLoopBackOff
• “Kubernetes keeps killing my app”

Usually actually:

• Application bugs (not Kubernetes bugs)
• Incorrect liveness probe configuration
• Resource limits too low (OOMKilled)
• Missing dependencies (DB, Redis, etc.)

Quick check:

kubectl describe pod POD_NAME
# Look at "Last State" and "Reason"
# OOMKilled = memory limit too low
# Error = application crash

“Service discovery is broken” (but DNS is fine)

Symptoms:

• Services can’t reach each other
• “Connection refused” errors
• “Name resolution failures”

Usually actually:

• Wrong service name/namespace in application config
• Application listening on wrong port
• Readiness probe failing (pod not ready to receive traffic)
• Network policies blocking traffic

Quick check:

# Test DNS resolution from inside a pod
kubectl exec -it POD_NAME -- nslookup SERVICE_NAME.NAMESPACE.svc.cluster.local
# Test if service endpoints exist
kubectl get endpoints SERVICE_NAME

What you should know by now

After running through the above, you should be able to answer these with evidence:

1. What is broken, and what is not?
   • One pod vs one workload vs one namespace vs one node group vs entire cluster
2. Where is the failure domain?
   • Workload-level (bad rollout, probe failures, config/secret issues)
   • Cluster-level (kube-system degradation, DNS, CNI, storage controller issues)
   • AWS integration layer (VPC CNI / ENI/IP limits, ALB/NLB behaviour, EBS attach/detach)
   • Node-level (resource pressure, kubelet instability, kernel/network issues)
3. What category does this incident fall into?
   • Scheduling/capacity (FailedScheduling, Pending pods)
   • Networking/CNI (pod sandbox failures, IP exhaustion, random timeouts)
   • DNS/CoreDNS (service discovery failures)
   • Storage/EBS CSI (FailedMount, volume attach issues)
   • Control plane/API issues (timeouts, throttling, admission webhook failures)
4. Is this node-specific “kernel pain” or cluster-wide?
   • Conntrack exhaustion / ephemeral port pressure
   • Mis-sized sysctls
   • Kubelet eviction behaviour under pressure
   • Incorrect QoS class due to bad requests/limits
5. What is the blast radius and what’s the next safe action?
   • Can you isolate by draining/cordoning nodes?
   • Should you pause a rollout?
   • Should you scale out node groups / reduce pressure?
   • Or do you need to stop and fix platform components first?
6. What evidence did you capture before making changes?
   • Events, node state, pod distribution, and logs that will make the RCA real (and not guesswork)

If you can’t answer these after Section 1, don’t start “random fixes”. You need more signal (metrics, kube-system logs, AWS-side telemetry) before touching production.

2. EKS Tier-0 components (what must stay healthy)

EKS gives you a managed control plane, but your workloads still depend on a small set of platform-critical components. If any of these degrade, the cluster looks partially alive while production is effectively down.

Below: what they do, how they fail, what you’ll see, and what to check first.

2.1 EKS Control Plane (Managed, but not magic)

What it includes

• Kubernetes API server
• etcd (managed)
• controller-manager (managed)
• scheduler (managed)

Common symptoms when control plane is unhealthy

• kubectl commands are slow / timing out
• deployments take forever to apply
• controllers lag (HPA doesn’t scale, pods don’t reschedule)
• random “context deadline exceeded” errors

First checks

kubectl get --raw='/readyz?verbose'
kubectl get --raw='/livez?verbose'
kubectl get events -A --sort-by=.lastTimestamp | tail -n 50

Pragmatic note Even if the control plane is “managed”, you still need:

• sane API usage (avoid thundering herds from controllers/tools)
• sane webhook behaviour (one broken webhook can block deployments)

2.2 CoreDNS (Cluster DNS)

Why it’s Tier-0 If DNS breaks, your apps don’t “partially degrade”. They fail in confusing ways:

• timeouts
• connection errors
• retries that amplify load

Symptoms

• services can’t resolve (*.svc.cluster.local)
• random failures between pods
• sudden spike in upstream request errors

First checks

kubectl -n kube-system get pods -l k8s-app=kube-dns -o wide
kubectl -n kube-system logs -l k8s-app=kube-dns --tail=200
kubectl -n kube-system describe deploy coredns

Common root causes

• CoreDNS under-provisioned (CPU/mem)
• upstream resolver issues
• network problems to kube-dns service IP
• node-local DNS/cache behaviour (if enabled)

2.3 AWS VPC CNI (aws-node) — Networking Foundation

Why it’s Tier-0 This is what gives pods IPs and makes pod networking real. If this is unhealthy, pods won’t start or won’t communicate reliably.

Symptoms

• pods stuck in ContainerCreating
• FailedCreatePodSandBox
• sudden surge of Pending pods due to no IPs
• node-specific network failures

First checks

kubectl -n kube-system get pods -l k8s-app=aws-node -o wide
kubectl -n kube-system logs -l k8s-app=aws-node --tail=200
kubectl -n kube-system describe ds aws-node

Typical EKS causes

• subnet IP exhaustion
• ENI limits / pod density limits
• prefix delegation mis-sizing
• conntrack pressure (often shows up as “network flaky”)

2.4 kube-proxy (Service Routing)

Why it’s Tier-0 Even if pods are healthy, service routing can break:

• ClusterIP routing issues
• weird partial connectivity problems

First checks

kubectl -n kube-system get pods -l k8s-app=kube-proxy -o wide
kubectl -n kube-system logs -l k8s-app=kube-proxy --tail=200

Pragmatic note If you’re using an eBPF dataplane instead of kube-proxy, document it explicitly. Debug steps change.

2.5 AWS Load Balancer Controller (ALB/NLB Integration)

Why it’s Tier-0 This is the bridge between Kubernetes ingress/service objects and AWS load balancers. If it breaks, external traffic fails even if the cluster is healthy.

Symptoms

• Ingress doesn’t provision
• Target groups empty / unhealthy
• external traffic 4xx/5xx
• “it works inside the cluster but not from the internet”

First checks

kubectl -n kube-system get deploy | grep -i load-balancer
kubectl -n kube-system logs deploy/aws-load-balancer-controller --tail=200
kubectl get ingress -A
kubectl describe ingress -n <ns> <name>

Common causes

• IAM permissions issues
• security group rules wrong
• subnet tagging wrong
• controller version mismatch during upgrades

2.5.1 NLB Idle Timeout + Keep-Alive (Silent Connection Kill)

When you use an AWS Network Load Balancer (NLB), remember this:

• NLB is L4, not L7.
• It does not create a separate application-layer connection like an ALB does.
• It tracks TCP/UDP flows internally so it can route packets correctly.
• If a connection is idle for ~350 seconds, NLB will forget it.
• After that, if the client or server tries to send more data on that “old” connection, the NLB can respond with a TCP RST.

What it looks like

• random connection reset by peer
• intermittent failures for long-lived but mostly-idle connections
• higher failure rates on low-traffic tenants or long polling style traffic
• hard-to-reproduce “only happens sometimes” reports

Why it happens Your application (or client) assumes the TCP connection is still valid because it was never explicitly closed. But the NLB has expired the idle flow state, so the next packet hits a dead path and gets reset.

Fix Enable TCP keep-alives so the connection never goes idle long enough to be forgotten.

You generally need:

• keep-alives enabled on the server listener socket
• keep-alives enabled on the client side too (if you control it)

Pragmatic guidance

• If you’re running connection-heavy services behind NLB (gRPC, streaming, long-lived HTTP/1.1 keep-alive, custom TCP protocols), treat keep-alive tuning as a production requirement, not an optimization.
• If you can’t control the client, you may need to:
  • reduce server-side idle timeouts
  • implement app-level heartbeats
  • or prefer ALB where L7 behaviour is needed

2.5.2 NAT Idle Timeout + Keep-Alive (Egress Connection Resets)

When workloads in EKS talk to services on the public internet, traffic often goes through a NAT device (commonly AWS NAT Gateway). NAT devices track connection state, and they will forget idle connections after a timeout.

For example, AWS NAT Gateway has an idle timeout of ~350 seconds. After that, the NAT forgets the flow. If the client or server tries to send traffic on that old connection, it can result in a TCP RST.

What it looks like

• random outbound connection reset by peer
• flaky third-party API calls (only under low traffic / idle periods)
• long-lived connections that “randomly die”
• retries sometimes help, sometimes amplify load

Why it happens Your application thinks it still has a valid TCP connection. The NAT has expired the mapping due to idleness. The next packet is treated as invalid state and gets reset.

Fix: enable TCP keep-alives

The simplest fix is to ensure connections don’t remain idle long enough to be forgotten.

Options

1. Enable TCP keep-alives in the application / proxy
   • If your proxy supports keepalive tuning, configure it.
   • Example: Envoy has TCP keepalive configuration support.
2. If the application/proxy doesn’t support it
   • Consider enabling it transparently using LD_PRELOAD
   • Tools like libsetsockopt can be used to apply setsockopt() defaults without changing application code

Pragmatic guidance

• Prefer fixing this at the proxy layer (Envoy / Nginx / HAProxy) where possible.
• If you use LD_PRELOAD, treat it as an engineering workaround:
  • document it
  • test it under load
  • make it part of your base image / runtime standard
  • expect debugging complexity later

Monitor it (otherwise you’ll rediscover it during incidents)

If you use AWS NAT Gateway, monitor the metric:

• IdleTimeoutCount

A rising IdleTimeoutCount is a strong indicator of:

• too many idle-but-long-lived connections
• missing keepalive settings
• workload patterns that need pooling / reuse / heartbeat

2.6 EBS CSI Driver (Stateful Workloads Depend on It)

Why it’s Tier-0 If you run StatefulSets with EBS, this is not optional.

Symptoms

• pods stuck in ContainerCreating
• volume attach/detach timeouts
• FailedMount events
• reschedules fail across AZs

First checks

kubectl -n kube-system get pods | grep ebs
kubectl -n kube-system logs deploy/ebs-csi-controller --tail=200
kubectl get pvc -A
kubectl describe pod -n <ns> <pod>

2.7 Metrics Server (Scaling + Visibility)

Why it matters Not Tier-0 for serving traffic, but Tier-0 for operating sanely. Without it:

• HPA breaks
• kubectl top is useless
• you lose quick visibility into node/pod pressure

First checks

kubectl -n kube-system get deploy metrics-server
kubectl -n kube-system logs deploy/metrics-server --tail=200
kubectl top nodes
kubectl top pods -A | head

2.8 EKS Addon Compatibility (Silent Failure Generator)

EKS upgrades are rarely just “upgrade Kubernetes”. You’re upgrading an ecosystem:

• CoreDNS
• kube-proxy
• VPC CNI
• CSI drivers
• LB controller

Rule If you don’t track addon versions and compatibility, you will eventually debug a failure caused by version skew.

2.9 AWS VPC / EC2 Network Limits (The Invisible Ceiling)

In AWS, network performance is not “infinite until it breaks”. It is governed by a set of hard limits at the VPC/EC2 layer. Some of these limits are documented, many are not. When you hit them, AWS usually does not fail loudly — it fails as latency, timeouts, dropped packets, and random connection resets.

In EKS, this becomes easier to trigger because Kubernetes binpacks many workloads onto one EC2 instance, which means:

• one noisy pod can consume a node-level network limit
• every other pod on the node suffers
• symptoms look like “the app is slow” even though the app is fine

This section exists so we stop blaming applications for AWS network ceilings.

2.9.1 Why this matters more in EKS (binpacking amplifies limits)

In a VM-per-service world, a single service hitting a network limit impacts itself. In Kubernetes, a single node can run:

• dozens/hundreds of pods
• shared proxies (Envoy/Nginx)
• CoreDNS
• DaemonSets

Everything shares the same node-level network limits.

The result is predictable:

A single workload can push the node over a limit and make unrelated services time out.

2.9.2 Real-world failure mode: DNS lookups clustering onto CoreDNS nodes

By default, pods resolve DNS through CoreDNS:

Traffic path

application pod
  -> kube-dns service (CoreDNS pods)
    -> EC2 link-local resolver

Only a small number of CoreDNS pods typically run in a cluster, which means:

• DNS traffic concentrates onto a few nodes (where CoreDNS pods are scheduled)
• those EC2 instances can hit link-local limits
• the cluster sees “DNS is flaky” even though most nodes are fine

This is one of the easiest ways to create a cluster-wide incident with no obvious “broken component”.

2.9.3 Link-local traffic limits (169.254.x.x) — easy to hit, hard to debug

Each EC2 instance exposes local services via link-local addresses (example: 169.254.169.254). These are used for:

• instance metadata
• temporary IAM credentials
• time sync and other local services
• DNS resolution via the VPC resolver path

These endpoints have limits. If you breach them, traffic gets rate-limited or dropped, and the failures are messy:

• timeouts
• slow DNS
• slow credential refresh
• sporadic errors that look unrelated

Pragmatic rule Treat link-local as a shared, rate-limited dependency.

2.9.4 DNS query limits (VPC resolver) — the 1024 packets/sec trap

Each EC2 instance has a hard cap on DNS traffic to the VPC resolver. As of this writing, it’s effectively capped at:

• 1024 packets per second (packets, not queries)

This distinction matters:

• A “DNS query” is not always one packet.
• With UDP, you usually pay at least:
  • 1 packet request + 1 packet response → 2 packets per query
• That means you might only get ~512 queries/sec in the simplest case.
• With larger responses, retries, TCP fallback, or DNSSEC, it gets worse.

In EKS, hundreds of pods on a node share this limit. It’s trivial to breach it.

What it looks like

• intermittent DNS resolution timeouts
• cascading app failures (everything depends on DNS)
• retries amplify the packet rate and make it worse

Mitigation

• cache DNS aggressively (application-level where possible)
• consider node-local DNS caching (NodeLocal DNSCache / dnsmasq style)
• keep CoreDNS well distributed across nodes/AZs

2.9.5 Security Group connection tracking limits (stateful firewall limits)

Security Groups are stateful. That means connection tracking happens, and there is a finite limit to how many concurrent connections an instance can sustain.

Important details:

• limits vary by instance type
• some limits are not clearly documented
• when you hit them, symptoms look like:
  • new TCP connections fail
  • connection establishment stalls
  • timeouts and latency spikes

Where this hurts in EKS

• reverse proxies handling lots of traffic
• long-lived connections (websocket, streaming, gRPC)
• high churn connection patterns (bad client behaviour, retries, load tests)

Pragmatic guidance

• long-lived connections are fine, but you must design for them:
  • keepalive tuning
  • connection pooling
  • horizontal scaling
  • avoid concentrating all traffic on a single node

2.9.6 What to monitor (and alert on)

CloudWatch is not enough for this class of failures.

To monitor these limits properly, you need node-level network driver metrics.

AWS ENA exposes useful counters on each EC2 instance that are:

• not always available in CloudWatch by default
• best collected by scraping from the node and shipping to your monitoring system

Action item Run a node-level metrics collector (DaemonSet or host agent) that scrapes ENA-related counters and publishes them to Prometheus / your metrics pipeline.

2.10 What to do when a Tier-0 component is unhealthy (EKS Incident Playbook)

Tier-0 failures are not limited to kube-system. In EKS, Tier-0 also includes AWS networking primitives that your cluster depends on:

• NLB / ALB (ingress and L4/L7 connectivity)
• NAT Gateway (egress to internet / third-party dependencies)
• Security Group connection tracking (stateful connection ceilings)

When any of these degrade, application symptoms become misleading. Your job is to stabilize the platform and the AWS networking layer first.

2.10.1 Step 0 — Stop making the incident worse

Do NOT

• restart random deployments
• roll out unrelated changes
• run scripts that spam the Kubernetes API
• scale CoreDNS / proxies blindly without checking node headroom

Do

• pause ongoing rollouts if they’re increasing churn
• capture evidence before it disappears

Capture evidence (minimum)

kubectl get nodes -o wide > nodes.txt
kubectl get pods -A -o wide > pods.txt
kubectl get events -A --sort-by=.lastTimestamp | tail -n 200 > events.txt

2.10.2 Step 1 — Confirm blast radius (cluster vs node-group vs AZ vs edge)

Tier-0 failures often appear “global” but aren’t. Quickly classify:

• Cluster-wide: kube-system pods unhealthy across nodes
• Node-group/AZ-specific: only one pool or AZ shows issues
• Edge-only: internal works, external traffic fails (NLB/ALB)
• Egress-only: internal works, outbound calls fail (NAT)

Quick checks

kubectl get nodes
kubectl get pods -n kube-system -o wide
kubectl get pods -A -o wide | head -n 50

2.10.3 Step 2 — Identify the failing Tier-0 dependency (K8s + AWS)

A) CoreDNS unhealthy → DNS failures everywhere

Checks

kubectl -n kube-system get pods -l k8s-app=kube-dns -o wide
kubectl -n kube-system logs -l k8s-app=kube-dns --tail=200

Safe actions

• scale CoreDNS only if nodes have headroom
• spread CoreDNS pods (avoid hotspot nodes)
• reduce DNS pressure (cache / fix runaway clients)

B) VPC CNI (aws-node) unhealthy → pod networking breaks

Checks

kubectl -n kube-system get pods -l k8s-app=aws-node -o wide
kubectl -n kube-system logs -l k8s-app=aws-node --tail=200

Safe actions

• cordon impacted nodes
• scale out node groups if out of IPs / pod density
• verify subnet IP capacity / prefix delegation

C) NAT idle timeout / keepalive mismatch → random outbound resets (egress path)

Same 350s idle timeout as NLB, but on the egress path. See Section 2.5.2 for full detail.

Safe actions

• enable TCP keep-alives in app/proxy
• monitor NAT IdleTimeoutCount

2.10.4 Step 3 — Contain blast radius (prevent spread)

Once you know the failing Tier-0 dependency:

Containment options

• cordon nodes to stop new scheduling:

kubectl cordon <node>

• drain nodes only when safe:

kubectl drain <node> --ignore-daemonsets --delete-emptydir-data

• scale out node groups if the failure is capacity-related (IP/CPU/mem/conntrack)

Key principle Containment > churn. Avoid actions that increase retries and reconnections.

2.10.5 Step 4 — Restore Tier-0 health (stabilize, then recover)

Stabilize in this order:

1. Control plane responsiveness (kubectl/API sanity)
2. kube-system essentials (CoreDNS, aws-node, kube-proxy)
3. Storage controllers (EBS CSI if stateful workloads exist)
4. Ingress/egress path (NLB/NAT behaviours, keepalives, target health)
5. Workloads

Only after Tier-0 is stable should you restart/roll workloads.

2.10.6 Step 5 — Validate recovery (don’t declare victory early)

Recovery means:

• DNS stable
• new pods schedule and start
• ingress traffic healthy
• egress stable (no NAT idle reset spikes)
• error rate + tail latency back to baseline

Quick checks

kubectl get nodes
kubectl -n kube-system get pods -o wide
kubectl get pods -A --field-selector=status.phase!=Running | head

2.10.7 Post-incident hardening (mandatory follow-up)

Every Tier-0 incident must produce:

• alerts (CoreDNS, aws-node, EBS CSI, LB controller)
• AWS networking alerts (NAT IdleTimeoutCount, node conntrack_allowance_exceeded)
• guardrails:
  • CoreDNS spread constraints
  • DNS caching strategy
  • keepalive defaults for ingress/egress
  • instance type sizing for connection-heavy services

3. Networking

This is where most “mysterious” production failures actually live. Unlike compute or storage failures that fail loudly, networking degrades gradually and inconsistently. A connection works 95% of the time. DNS resolves “most of the time”. Latency spikes “only under load”.

Below: the EKS networking stack and how to debug it systematically when things go sideways.

3.1 EKS Networking Stack (What Can Break and Where)

Understanding the layers helps you debug faster:

[Pod A] 
  ↓ (veth pair)
[Node's root netns] 
  ↓ (AWS VPC CNI / ENI)
[AWS VPC] 
  ↓ (routing, security groups, NACLs)
[Target: Pod B / Service / Internet]

Each layer can fail differently:

• Pod network namespace: wrong routes, missing interfaces
• Node networking: CNI plugin issues, IP exhaustion, conntrack
• VPC layer: security groups, routing tables, subnet capacity
• AWS services: NLB/ALB behavior, NAT timeouts, DNS resolver limits

3.2 AWS VPC CNI Deep Dive (The Foundation)

The AWS VPC CNI is what makes “pod gets a real VPC IP” work. When it breaks, symptoms are confusing because pods might start but not communicate, or communication works sometimes but not others.

3.2.1 How AWS VPC CNI Works (Simplified)

1. ENI allocation: Each node gets multiple ENIs (network interfaces)
2. IP allocation: Each ENI gets either:
   • Multiple secondary IPs (legacy mode)
   • IP prefixes (/28 blocks) when prefix delegation is enabled
3. Pod assignment: Each pod gets one IP from the available pool
4. Routing: Node routes traffic between pod netns and ENI

Pod density isn’t just CPU/memory limited — it’s bounded by ENI limits and either IP-per-ENI limits (legacy) or prefix allocation limits (with prefix delegation).

Prefix delegation benefits:

• Dramatically increases pod density (from ~10-250 pods per node to ~110-750+ pods)
• Reduces ENI pressure on larger instance types
• More efficient IP utilization

3.2.2 Common CNI Failure Modes

A) IP Exhaustion (Pods stuck in Pending)

Symptoms:

kubectl get pods -A | grep Pending
kubectl describe pod <pod> | grep -i "failed to allocate"

Root causes:

• Subnet out of IPs
• Node hit max pods per instance type
• Prefix delegation misconfigured or not enabled
• ENI limits reached without prefix delegation

Quick diagnosis:

# Check available IPs in subnet
aws ec2 describe-subnets --subnet-ids <subnet-id>

# Check pod density limits
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.allocatable.pods}{"\n"}{end}'

# Check CNI logs
kubectl -n kube-system logs -l k8s-app=aws-node --tail=100

B) ENI Attachment Failures

Symptoms:

• New nodes can’t schedule pods
• FailedCreatePodSandBox errors
• CNI timeouts during pod creation

Quick diagnosis:

kubectl -n kube-system logs -l k8s-app=aws-node | grep -i "eni\|attach\|interface"

C) Cross-AZ Communication Issues

Symptoms:

• Pods in different AZs can’t reach each other
• Intermittent timeouts between services
• Works within AZ, fails across AZ

Root causes:

• Route table misconfigurations
• Security group rules
• NACLs blocking cross-AZ traffic

3.2.3 CNI Configuration Tuning

Key parameters to understand:

# Check current CNI configuration
kubectl -n kube-system describe daemonset aws-node

Important environment variables:

• ENABLE_PREFIX_DELEGATION: Increases pod density
• WARM_ENI_TARGET: Pre-allocates ENIs for faster pod startup
• WARM_IP_TARGET: Pre-allocates IPs for faster pod startup
• MAX_ENI: Limits ENI usage per node

Production tuning example:

env:
- name: ENABLE_PREFIX_DELEGATION
  value: "true"
- name: WARM_PREFIX_TARGET
  value: "1"        # Keep 1 prefix warm (16 IPs)
- name: WARM_IP_TARGET
  value: "3"        # Keep 3 individual IPs warm
- name: MAX_ENI
  value: "10"       # Limit ENI usage if needed
- name: AWS_VPC_K8S_CNI_EXTERNALSNAT
  value: "true"     # Preserve pod IPs for cross-VPC communication

Understanding prefix vs IP mode:

• Legacy (IP mode): Each ENI gets ~15-50 secondary IPs depending on instance type
• Prefix mode: Each ENI gets /28 prefixes (16 IPs each), dramatically increasing density
• Mixed mode: Can use both prefixes and individual IPs on same ENI

External SNAT configuration:

• Default (false): Pod traffic to external destinations gets SNATed to node IP
• External SNAT (true): Pod retains its VPC IP when talking to external destinations
• Critical for: Cross-VPC communication, VPC peering, Transit Gateway scenarios
• Why it matters: Allows destination to see actual pod IP instead of node IP for logging, security groups, etc.

3.3 DNS and Service Discovery (CoreDNS Operational Reality)

DNS failures in Kubernetes don’t just break service discovery—they cascade into timeouts, retries, and connection pool exhaustion that can take down entire applications.

3.3.1 CoreDNS Under Load (When DNS Becomes the Bottleneck)

Common failure pattern:

1. Application makes many DNS queries (poor caching)
2. CoreDNS pods hit CPU/memory limits
3. DNS queries start timing out
4. Applications retry aggressively
5. DNS load increases, making timeouts worse
6. Cascade failure across services

Symptoms:

# DNS timeouts in application logs
kubectl logs <app-pod> | grep -i "dns\|resolve\|timeout"

# CoreDNS resource pressure
kubectl -n kube-system top pods -l k8s-app=kube-dns

# DNS query patterns
kubectl -n kube-system logs -l k8s-app=kube-dns | grep -E "NXDOMAIN|timeout|error"

3.3.2 DNS Query Patterns That Kill Performance

Bad patterns:

• No DNS caching in applications
• Querying external domains from every pod
• Short TTL on frequently accessed services
• DNS queries in tight loops

Example of problematic application behavior:

# BAD: DNS lookup on every request
def make_request():
    host = socket.gethostbyname("api.external.com")  # DNS lookup every time
    return requests.get(f"http://{host}/api")

# GOOD: Cache DNS resolution
dns_cache = {}
def make_request():
    if "api.external.com" not in dns_cache:
        dns_cache["api.external.com"] = socket.gethostbyname("api.external.com")
    host = dns_cache["api.external.com"]
    return requests.get(f"http://{host}/api")

3.3.3 CoreDNS Scaling and Distribution

Horizontal scaling:

kubectl -n kube-system scale deployment coredns --replicas=5

Anti-affinity to spread CoreDNS pods:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
spec:
  template:
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: k8s-app
                  operator: In
                  values: ["kube-dns"]
              topologyKey: kubernetes.io/hostname

3.3.4 NodeLocal DNSCache (Advanced DNS Optimization)

For clusters with heavy DNS load, NodeLocal DNSCache runs a DNS cache on each node:

Benefits:

• Reduces load on CoreDNS
• Improves DNS response times
• Reduces DNS-related network traffic

Trade-offs:

• Additional complexity
• More moving parts to debug
• Cache invalidation edge cases

When to consider:

• High DNS query volume (>1000 QPS cluster-wide)
• DNS-related performance issues
• Applications that can’t implement proper DNS caching

3.3.5 DNS Search Domain Optimization (ndots Configuration)

The ndots problem: By default, Kubernetes sets ndots:5 in /etc/resolv.conf, causing excessive DNS queries for external domains.

Default behavior analysis:

# Inside a pod, resolving "google.com" triggers these queries:
# 1. google.com.default.svc.cluster.local
# 2. google.com.svc.cluster.local  
# 3. google.com.cluster.local
# 4. google.com.us-west-2.compute.internal
# 5. google.com.compute.internal
# 6. google.com (finally!)

Impact on AWS linklocal limits:

# Each failed query hits 169.254.169.254 (AWS DNS resolver)
# With ndots:5, external domains generate 6x DNS traffic
# AWS limit: 1024 PPS per instance - easily exceeded in dense clusters

Optimized ndots configuration:

apiVersion: v1
kind: Pod
metadata:
  name: optimized-dns-app
spec:
  dnsPolicy: ClusterFirst
  dnsConfig:
    options:
    - name: ndots
      value: "1"  # Reduce from default 5 to 1
    - name: edns0  # Enable DNS extensions
  containers:
  - name: app
    image: nginx

Application-specific DNS optimization:

# For apps that primarily call external services
apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-api-client
spec:
  template:
    spec:
      dnsConfig:
        options:
        - name: ndots
          value: "1"
      containers:
      - name: app
        env:
        - name: EXTERNAL_API_URL
          value: "https://api.example.com."  # Trailing dot = absolute FQDN

3.3.6 Listen backlog and connection handling

These are not DNS topics, but connection-level tuning is commonly needed alongside DNS optimization when debugging service latency.

Listen Backlog Configuration for High-Traffic Services

Problem: Default listen backlog (128) causes connection drops under bursty load.

Root cause: When services receive more concurrent connection attempts than the listen backlog can queue, connections are dropped at the kernel level.

Solution - Configure via sysctls:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: high-traffic-service
spec:
  template:
    spec:
      securityContext:
        sysctls:
        - name: net.core.somaxconn
          value: "32000"  # Increase from default 128
        - name: net.ipv4.ip_local_port_range
          value: "1024 64000"  # Expand ephemeral port range
      containers:
      - name: app
        # Application configuration

Monitor listen backlog with sidecar pattern:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: monitored-service
spec:
  template:
    spec:
      containers:
      - name: app
        image: my-app:latest
        # Main application container
      - name: node-exporter
        image: prom/node-exporter:latest
        args:
        - --web.listen-address=0.0.0.0:9100
        - --collector.disable-defaults
        - --web.disable-exporter-metrics
        - --collector.conntrack
        - --collector.filefd
        - --collector.netstat
        - --collector.sockstat
        ports:
        - containerPort: 9100
          name: metrics
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["all"]

Prometheus alerts for listen backlog issues:

groups:
- name: listen-backlog
  rules:
  - alert: ListenDrops
    expr: sum by (k8s_cluster_name, pod) (rate(node_netstat_TcpExt_ListenDrops[5m]) > 0) > 5
    for: 2m
    annotations:
      summary: "Listen drops detected on "
      description: "Pod  is dropping connections due to listen backlog overflow"

  - alert: ListenOverflows  
    expr: sum by (k8s_cluster_name, pod) (rate(node_netstat_TcpExt_ListenOverflows[5m]) > 0) > 5
    for: 2m
    annotations:
      summary: "Listen overflows detected on "
      description: "Pod  has listen queue overflows - increase somaxconn"

Protection Against Slow Clients

Problem: Slow clients can exhaust thread/process pools in request-per-thread models.

Attack vector simulation:

# Simulate slow client sending 10KB slowly (1 byte per second)
(echo -e -n 'POST /api HTTP/1.1\r\nHost: example.com\r\nContent-Length: 10000\r\n\r\n'; 
 i=0; while [ $i -lt 10000 ]; do echo -n "a"; sleep 1; i=$((i+1)); done) \
 | socat -t 10 - TCP4:service.example.com:80

Solution - Reverse proxy with buffering:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
data:
  nginx.conf: |
    events {
        worker_connections 1024;
    }
    http {
        # Buffer entire request before forwarding to backend
        proxy_request_buffering on;
        proxy_buffering on;
        
        # Timeout configurations
        client_header_timeout 10s;    # Max time to receive headers
        client_body_timeout 30s;      # Max time to receive body
        send_timeout 30s;             # Max time to send response
        keepalive_timeout 65s;        # Connection idle timeout
        
        upstream backend {
            server app-service:8080;
        }
        
        server {
            listen 80;
            location / {
                proxy_pass http://backend;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
            }
        }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-proxy
spec:
  template:
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        volumeMounts:
        - name: config
          mountPath: /etc/nginx/nginx.conf
          subPath: nginx.conf
      volumes:
      - name: config
        configMap:
          name: nginx-config

Envoy configuration for slow client protection:

apiVersion: v1
kind: ConfigMap
metadata:
  name: envoy-config
data:
  envoy.yaml: |
    static_resources:
      listeners:
      - name: listener_0
        address:
          socket_address:
            address: 0.0.0.0
            port_value: 8080
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              request_timeout: 30s
              stream_idle_timeout: 300s
              request_headers_timeout: 10s
              http_filters:
              - name: envoy.filters.http.buffer
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer
                  max_request_bytes: 1048576  # 1MB buffer
              - name: envoy.filters.http.router
              route_config:
                name: local_route
                virtual_hosts:
                - name: backend
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                    route:
                      cluster: backend_cluster
      clusters:
      - name: backend_cluster
        connect_timeout: 5s
        type: STRICT_DNS
        lb_policy: ROUND_ROBIN
        load_assignment:
          cluster_name: backend_cluster
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: app-service
                    port_value: 8080

3.4 Service Mesh Networking (When L7 Proxy Becomes Critical Path)

Service meshes add another networking layer that can fail in EKS-specific ways.

3.4.1 Envoy Sidecar Resource Limits

Common failure: Envoy sidecar hits CPU/memory limits under load, causing:

• Request timeouts
• Connection pool exhaustion
• Circuit breaker activation

Diagnosis:

# Check sidecar resource usage
kubectl top pods --containers | grep envoy

# Check Envoy admin interface
kubectl exec <pod> -c istio-proxy -- curl localhost:15000/stats | grep -E "cx_|rq_|upstream"

Tuning:

metadata:
  annotations:
    sidecar.istio.io/proxyCPU: "100m"
    sidecar.istio.io/proxyMemory: "128Mi"
    sidecar.istio.io/proxyCPULimit: "200m"
    sidecar.istio.io/proxyMemoryLimit: "256Mi"

3.4.2 mTLS Certificate Rotation Issues

Symptoms:

• Intermittent 503 errors between services
• TLS handshake failures
• Services work sometimes, fail other times

Diagnosis:

# Check certificate expiration
kubectl exec <pod> -c istio-proxy -- openssl s_client -connect <service>:443 -servername <service> < /dev/null 2>/dev/null | openssl x509 -noout -dates

# Check Envoy TLS stats
kubectl exec <pod> -c istio-proxy -- curl localhost:15000/stats | grep ssl

3.5 Load Balancer Integration (ALB/NLB Operational Patterns)

3.5.1 ALB Target Group Health Issues

Common failure pattern:

1. Pod starts and becomes “Ready”
2. ALB target group shows “unhealthy”
3. Traffic doesn’t reach the pod
4. Application appears to be “not working”

Root causes:

• Health check path misconfigured
• Security group rules blocking ALB health checks
• Pod readiness probe vs ALB health check mismatch

Diagnosis:

# Check ALB target group health
aws elbv2 describe-target-health --target-group-arn <arn>

# Check ingress configuration
kubectl describe ingress <ingress-name>

# Check ALB controller logs
kubectl -n kube-system logs deployment/aws-load-balancer-controller

Fix patterns:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '30'
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
    alb.ingress.kubernetes.io/unhealthy-threshold-count: '3'

3.5.2 NLB Connection Tracking and Keep-Alive

The NLB idle timeout problem and TCP keepalive fix are covered in detail in Section 2.5.1. This section adds the language-specific code examples.

For HTTP clients (Python):

import requests
from requests.adapters import HTTPAdapter

session = requests.Session()
adapter = HTTPAdapter(
    socket_options=[
        (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),
        (socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 300),
        (socket.IPPROTO_TCP, socket.TCP_KEEPINTVL, 5),
        (socket.IPPROTO_TCP, socket.TCP_KEEPCNT, 5),
    ]
)
session.mount("http://", adapter)
session.mount("https://", adapter)

For gRPC (Python):

import grpc

options = [
    ('grpc.keepalive_time_ms', 300000),
    ('grpc.keepalive_timeout_ms', 5000),
    ('grpc.keepalive_permit_without_calls', True),
    ('grpc.http2.max_pings_without_data', 0),
]

channel = grpc.insecure_channel('service:50051', options=options)

3.6 Network Policies (Micro-segmentation That Actually Works)

Network policies in EKS require a CNI that supports them (like Calico). When they’re misconfigured, they create “works sometimes” failures that are hard to debug.

3.6.1 Common Network Policy Mistakes

Mistake 1: Blocking DNS

# BAD: This blocks DNS resolution
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  # No egress rules = no DNS

Fix: Always allow DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to: []
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53

Mistake 2: Forgetting about health checks

# Need to allow kubelet health checks
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-health-checks
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from: []
    ports:
    - protocol: TCP
      port: 8080  # Your health check port

3.6.2 Debugging Network Policy Issues

Test connectivity between pods:

# From source pod to target pod
kubectl exec -it <source-pod> -- nc -zv <target-pod-ip> <port>

# Test DNS resolution
kubectl exec -it <pod> -- nslookup kubernetes.default.svc.cluster.local

# Check if network policies are applied
kubectl get networkpolicy -A
kubectl describe networkpolicy <policy-name>

Calico-specific debugging:

# Check Calico policy status
kubectl exec -n kube-system <calico-node-pod> -- calicoctl get policy -o wide

# Check Calico logs
kubectl -n kube-system logs -l k8s-app=calico-node

3.7 Cross-AZ Networking (Latency and Cost Optimization)

3.7.1 Understanding Cross-AZ Traffic Patterns

Network latency between AZs:

• Intra-AZ: ~0.1-0.5ms
• Inter-AZ: ~1-2ms
• Cross-region: 20-100ms+

Cost implications:

• Intra-AZ traffic: Free
• Inter-AZ traffic: $0.01/GB (as of 2024)
• Cross-region: $0.02/GB+

3.7.2 Topology Spread Constraints for Network Optimization

Spread pods across AZs for availability:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  replicas: 6
  template:
    spec:
      topologySpreadConstraints:
      - maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: web-app

Keep related services in same AZ:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cache-service
spec:
  template:
    spec:
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values: ["web-app"]
              topologyKey: topology.kubernetes.io/zone

3.8 Debugging Network Issues (Systematic Approach)

3.8.1 Layer-by-Layer Debugging

Step 1: Pod-to-Pod IP connectivity

# Get pod IPs
kubectl get pods -o wide

# Test basic IP connectivity
kubectl exec -it <source-pod> -- ping <target-pod-ip>

# Test specific port
kubectl exec -it <source-pod> -- nc -zv <target-pod-ip> <port>

Step 2: Service discovery

# Test DNS resolution
kubectl exec -it <pod> -- nslookup <service-name>.<namespace>.svc.cluster.local

# Test service connectivity
kubectl exec -it <pod> -- curl <service-name>.<namespace>.svc.cluster.local:<port>

Step 3: Ingress/Load balancer

# Check ingress status
kubectl get ingress
kubectl describe ingress <ingress-name>

# Test from outside cluster
curl -v http://<load-balancer-dns>/health

3.8.2 Network Debugging Tools

Essential tools to have in debug pods:

apiVersion: v1
kind: Pod
metadata:
  name: network-debug
spec:
  containers:
  - name: debug
    image: nicolaka/netshoot
    command: ["/bin/bash"]
    args: ["-c", "while true; do sleep 30; done;"]
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]

Useful commands in debug pod:

# Network interface info
ip addr show
ip route show

# DNS debugging
dig @8.8.8.8 google.com
nslookup kubernetes.default.svc.cluster.local

# Port scanning
nmap -p 80,443,8080 <target-ip>

# Packet capture
tcpdump -i any -w /tmp/capture.pcap host <target-ip>

# Connection testing
nc -zv <host> <port>
telnet <host> <port>

3.8.3 Performance Testing and Monitoring

Network performance testing:

# Bandwidth testing between pods
kubectl exec -it <pod1> -- iperf3 -s &
kubectl exec -it <pod2> -- iperf3 -c <pod1-ip>

# Latency testing
kubectl exec -it <pod1> -- ping -c 100 <pod2-ip>

Key metrics to monitor:

• DNS query latency and error rate
• Service-to-service latency (P50, P95, P99)
• Network throughput and packet loss
• Connection pool utilization
• Cross-AZ traffic volume and cost

3.9 Network Security (Defense in Depth)

3.9.1 Security Groups vs Network Policies

Security Groups (AWS level):

• Applied at ENI level
• Stateful firewall rules
• Good for node-to-node and external access control

Network Policies (Kubernetes level):

• Applied at pod level
• More granular control
• Good for micro-segmentation within cluster

Best practice: Use both layers

# Network policy for pod-to-pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-app-policy
spec:
  podSelector:
    matchLabels:
      app: web-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

3.9.2 Pod Security Groups (EKS-specific)

For fine-grained security group control at pod level:

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
  annotations:
    eks.amazonaws.com/security-groups: sg-12345678,sg-87654321
spec:
  containers:
  - name: app
    image: myapp:latest

When to use pod security groups:

• Need different security rules per workload
• Compliance requirements for network isolation
• Integration with AWS security tools

Trade-offs:

• Additional complexity
• Potential performance impact
• Limited to specific instance types and CNI versions

3.10 Network Troubleshooting Runbook

3.10.1 “Service is unreachable” Runbook

Symptoms: Application can’t reach another service

Step 1: Verify service exists and has endpoints

kubectl get svc <service-name>
kubectl get endpoints <service-name>

Step 2: Test DNS resolution

kubectl exec -it <pod> -- nslookup <service-name>.<namespace>.svc.cluster.local

Step 3: Test direct IP connectivity

kubectl exec -it <pod> -- nc -zv <endpoint-ip> <port>

Step 4: Check network policies

kubectl get networkpolicy -n <namespace>
kubectl describe networkpolicy <policy-name>

Step 5: Check security groups (if using pod security groups)

aws ec2 describe-security-groups --group-ids <sg-id>

3.10.2 “DNS is slow/failing” Runbook

Symptoms: DNS timeouts, slow service discovery

Step 1: Check CoreDNS health

kubectl -n kube-system get pods -l k8s-app=kube-dns
kubectl -n kube-system logs -l k8s-app=kube-dns --tail=100

Step 2: Test DNS from multiple pods

kubectl exec -it <pod1> -- time nslookup kubernetes.default.svc.cluster.local
kubectl exec -it <pod2> -- time nslookup kubernetes.default.svc.cluster.local

Step 3: Check DNS query patterns

kubectl -n kube-system logs -l k8s-app=kube-dns | grep -E "NXDOMAIN|timeout" | tail -20

Step 4: Monitor CoreDNS resource usage

kubectl -n kube-system top pods -l k8s-app=kube-dns

Step 5: Scale CoreDNS if needed

kubectl -n kube-system scale deployment coredns --replicas=<new-count>

3.10.3 “Load balancer not working” Runbook

Symptoms: External traffic can’t reach services

Step 1: Check ingress/service status

kubectl get ingress
kubectl describe ingress <ingress-name>
kubectl get svc <service-name>

Step 2: Check AWS Load Balancer Controller

kubectl -n kube-system logs deployment/aws-load-balancer-controller

Step 3: Verify target group health

aws elbv2 describe-target-health --target-group-arn <arn>

Step 4: Test internal connectivity

kubectl exec -it <debug-pod> -- curl <service-name>:<port>/health

Step 5: Check security group rules

aws ec2 describe-security-groups --group-ids <alb-sg-id>

4. Workload identity and security

EKS security failures often look like “the application is broken” when the real issue is auth, authorization, or secrets. Misconfigured IRSA, missing encryption, bad RBAC — these create confusing incidents that send you chasing application bugs that don’t exist.

4.1 IAM Roles for Service Accounts (IRSA) - The Foundation

IRSA is how pods get AWS permissions without embedding long-lived credentials. When it breaks, applications fail to access AWS services with cryptic permission errors.

4.1.1 How IRSA Works (What Can Break)

[Pod with ServiceAccount] 
  ↓ (projected token volume)
[OIDC JWT Token] 
  ↓ (AWS STS AssumeRoleWithWebIdentity)
[Temporary AWS Credentials] 
  ↓ (AWS API calls)
[AWS Services: S3, RDS, etc.]

Each step can fail:

• ServiceAccount annotation missing/wrong
• OIDC provider not configured
• IAM role trust policy incorrect
• IAM role permissions insufficient
• Token projection/mounting issues

4.1.2 Common IRSA Failure Patterns

A) “Access Denied” but IAM role looks correct

Symptoms:

AccessDenied: User: arn:aws:sts::123456789012:assumed-role/eksctl-my-cluster-nodegroup-NodeInstanceRole-XXXXX/i-1234567890abcdef0 is not authorized to perform: s3:GetObject

Root cause: Pod is using node IAM role instead of IRSA role

Diagnosis:

# Check if ServiceAccount has IRSA annotation
kubectl describe sa <service-account-name>

# Check if pod is using the ServiceAccount
kubectl describe pod <pod-name> | grep "Service Account"

# Check if OIDC provider exists
aws eks describe-cluster --name <cluster-name> --query "cluster.identity.oidc.issuer"
aws iam list-open-id-connect-providers

B) Token projection failures

Symptoms:

• Pod starts but AWS calls fail with authentication errors
• Missing /var/run/secrets/eks.amazonaws.com/serviceaccount/token

Diagnosis:

# Check if token is mounted
kubectl exec <pod-name> -- ls -la /var/run/secrets/eks.amazonaws.com/serviceaccount/

# Check token content (should be JWT)
kubectl exec <pod-name> -- cat /var/run/secrets/eks.amazonaws.com/serviceaccount/token | cut -d. -f2 | base64 -d

4.1.3 IRSA Setup and Troubleshooting

Correct IRSA setup:

1. Create OIDC provider (one-time per cluster):

   eksctl utils associate-iam-oidc-provider --cluster <cluster-name> --approve
   

2. Create IAM role with trust policy:

   {
     "Version": "2012-10-17",
     "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNT-ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC-ID"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.REGION.amazonaws.com/id/OIDC-ID:sub": "system:serviceaccount:NAMESPACE:SERVICE-ACCOUNT-NAME",
          "oidc.eks.REGION.amazonaws.com/id/OIDC-ID:aud": "sts.amazonaws.com"
        }
      }
    }
     ]
   }
   

3. Annotate ServiceAccount:

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: my-service-account
     namespace: my-namespace
     annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT-ID:role/my-irsa-role
   

4. Use ServiceAccount in pod:

   apiVersion: v1
   kind: Pod
   metadata:
     name: my-pod
   spec:
     serviceAccountName: my-service-account
     containers:
     - name: my-container
    image: my-app:latest
   

Validation script:

#!/bin/bash
# Test IRSA setup
NAMESPACE="my-namespace"
SA_NAME="my-service-account"
POD_NAME="test-pod"

echo "1. Checking ServiceAccount annotation..."
kubectl get sa $SA_NAME -n $NAMESPACE -o jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}'

echo -e "\n2. Checking pod ServiceAccount..."
kubectl get pod $POD_NAME -n $NAMESPACE -o jsonpath='{.spec.serviceAccountName}'

echo -e "\n3. Checking token mount..."
kubectl exec $POD_NAME -n $NAMESPACE -- ls -la /var/run/secrets/eks.amazonaws.com/serviceaccount/

echo -e "\n4. Testing AWS credentials..."
kubectl exec $POD_NAME -n $NAMESPACE -- aws sts get-caller-identity

4.2 Pod Security Standards (Replacing PSPs)

Pod Security Policies (PSPs) are deprecated. Pod Security Standards are the replacement, but they work differently and can create new failure modes.

4.2.1 Pod Security Standards Levels

Privileged: No restrictions (dangerous for production) Baseline: Minimal restrictions, prevents known privilege escalations Restricted: Heavily restricted, follows pod hardening best practices

4.2.2 Common Pod Security Failures

A) Pods rejected by admission controller

Symptoms:

Error creating: pods "my-pod" is forbidden: violates PodSecurity "restricted:latest": 
allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true

Fix patterns:

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        drop:
        - ALL

B) Applications fail due to security restrictions

Common issues:

• App tries to write to read-only filesystem
• App needs specific capabilities
• App runs as root by default

Debugging approach:

# Check pod security context
kubectl describe pod <pod-name> | grep -A 20 "Security Context"

# Check container security context
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext}'

# Test file system permissions
kubectl exec <pod-name> -- touch /tmp/test-write
kubectl exec <pod-name> -- id

4.2.3 Namespace-Level Pod Security Configuration

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Gradual rollout strategy:

1. Start with warn mode to identify violations
2. Add audit mode to log violations
3. Finally enable enforce mode to block violations

4.3 Secrets Management (Beyond Kubernetes Secrets)

Kubernetes Secrets are base64 encoded, not encrypted at rest by default, and visible to anyone with cluster access. For production workloads, you need better secrets management.

4.3.1 AWS Secrets Manager Integration

Using AWS Load Balancer Controller with Secrets Manager:

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
  annotations:
    aws-load-balancer-controller.k8s.aws/secret-manager: "arn:aws:secretsmanager:region:account:secret:prod/db/credentials"
type: Opaque

Using External Secrets Operator:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets-manager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-west-2
      auth:
        secretRef:
          accessKeyID:
            name: awssm-secret
            key: access-key
          secretAccessKey:
            name: awssm-secret
            key: secret-access-key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secret
spec:
  refreshInterval: 15s
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: app-secret
    creationPolicy: Owner
  data:
  - secretKey: password
    remoteRef:
      key: prod/db/credentials
      property: password

4.3.2 Secrets CSI Driver

Mount secrets as volumes:

apiVersion: v1
kind: Pod
metadata:
  name: app-pod
spec:
  serviceAccountName: app-service-account
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: secrets-store
      mountPath: "/mnt/secrets"
      readOnly: true
  volumes:
  - name: secrets-store
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "app-secrets"
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: app-secrets
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: "prod/db/credentials"
        objectType: "secretsmanager"
        jmesPath:
          - path: "password"
            objectAlias: "db-password"

4.3.3 Secrets Rotation and Lifecycle

Automatic rotation with External Secrets:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: rotating-secret
spec:
  refreshInterval: 1h  # Check for updates every hour
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: app-secret
    creationPolicy: Owner
    template:
      metadata:
        annotations:
          reloader.stakater.com/match: "true"  # Trigger pod restart on change

Monitoring secrets rotation:

# Check External Secrets status
kubectl get externalsecrets
kubectl describe externalsecret <name>

# Check secret age
kubectl get secrets -o custom-columns=NAME:.metadata.name,AGE:.metadata.creationTimestamp

4.4 Network Security (Security Groups and Network Policies)

4.4.1 Security Groups for Pods

EKS allows assigning security groups directly to pods for fine-grained network control:

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
  annotations:
    eks.amazonaws.com/security-groups: sg-12345678
spec:
  containers:
  - name: app
    image: myapp:latest

When to use pod security groups:

• Need different network rules per workload
• Compliance requirements for network isolation
• Integration with AWS security services

Limitations:

• Only works with supported instance types
• Requires specific CNI configuration
• Can impact performance

4.4.2 Network Policies for Micro-segmentation

Default deny all traffic:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Allow specific service communication:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-to-api
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: web
    ports:
    - protocol: TCP
      port: 8080

Always allow DNS and health checks:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-and-health
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  # Allow DNS
  - to: []
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
  ingress:
  # Allow health checks from kubelet
  - from: []
    ports:
    - protocol: TCP
      port: 8080  # Your health check port

4.5 Image Security and Supply Chain

4.5.1 Image Scanning and Vulnerability Management

ECR image scanning:

# Enable scan on push
aws ecr put-image-scanning-configuration --repository-name myapp --image-scanning-configuration scanOnPush=true

# Manual scan
aws ecr start-image-scan --repository-name myapp --image-id imageTag=latest

# Get scan results
aws ecr describe-image-scan-findings --repository-name myapp --image-id imageTag=latest

Admission controller for image scanning:

apiVersion: v1
kind: ValidatingAdmissionWebhook
metadata:
  name: image-security-webhook
webhooks:
- name: image-scan-check
  clientConfig:
    service:
      name: image-security-service
      namespace: security-system
      path: "/validate"
  rules:
  - operations: ["CREATE", "UPDATE"]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]

4.5.2 Image Signing and Verification

Using Cosign for image signing:

# Sign image
cosign sign --key cosign.key myregistry/myapp:v1.0.0

# Verify signature
cosign verify --key cosign.pub myregistry/myapp:v1.0.0

Policy enforcement with Gatekeeper:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: requiresignedimages
spec:
  crd:
    spec:
      names:
        kind: RequireSignedImages
      validation:
        properties:
          trustedKeys:
            type: array
            items:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package requiresignedimages
        
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          not is_signed(container.image)
          msg := sprintf("Image %v is not signed", [container.image])
        }
        
        is_signed(image) {
          # Implementation depends on your signing verification logic
        }

4.6 Audit Logging and Compliance

4.6.1 EKS Audit Logging Configuration

Enable audit logging:

aws eks update-cluster-config \
  --name my-cluster \
  --logging '{"enable":["api","audit","authenticator","controllerManager","scheduler"]}'

Audit policy for security events:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log secret access
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets"]
# Log RBAC changes
- level: RequestResponse
  resources:
  - group: "rbac.authorization.k8s.io"
    resources: ["*"]
# Log security context changes
- level: Request
  resources:
  - group: ""
    resources: ["pods"]
  namespaces: ["production"]
  omitStages:
  - RequestReceived

4.6.2 Security Monitoring and Alerting

Key security metrics to monitor:

• Failed authentication attempts
• Privilege escalation attempts
• Unauthorized secret access
• Network policy violations
• Image pull failures from untrusted registries

Example Prometheus alerts:

groups:
- name: kubernetes-security
  rules:
  - alert: UnauthorizedSecretAccess
    expr: increase(apiserver_audit_total{verb="get",objectRef_resource="secrets",user_username!~"system:.*"}[5m]) > 0
    labels:
      severity: warning
    annotations:
      summary: "Unauthorized access to secrets detected"
      
  - alert: PrivilegedPodCreated
    expr: increase(apiserver_audit_total{verb="create",objectRef_resource="pods",requestObject_spec_securityContext_privileged="true"}[5m]) > 0
    labels:
      severity: critical
    annotations:
      summary: "Privileged pod created"

4.7 Security Incident Response Runbook

4.7.1 “Pod can’t access AWS services” Runbook

Symptoms: AWS API calls failing with permission errors

Step 1: Verify IRSA setup

kubectl describe sa <service-account> | grep eks.amazonaws.com/role-arn
kubectl describe pod <pod> | grep "Service Account"

Step 2: Check token projection

kubectl exec <pod> -- ls -la /var/run/secrets/eks.amazonaws.com/serviceaccount/
kubectl exec <pod> -- aws sts get-caller-identity

Step 3: Verify IAM role and policies

aws iam get-role --role-name <irsa-role-name>
aws iam list-attached-role-policies --role-name <irsa-role-name>

Step 4: Test permissions

kubectl exec <pod> -- aws s3 ls  # Or whatever AWS service you're trying to access

4.7.2 “Pods being rejected by security policies” Runbook

Symptoms: Pod creation fails with security policy violations

Step 1: Check namespace security labels

kubectl get namespace <namespace> -o yaml | grep pod-security

Step 2: Identify specific violations

kubectl describe pod <pod> | grep -A 10 "violates PodSecurity"

Step 3: Fix security context

# Check current security context
kubectl get pod <pod> -o jsonpath='{.spec.securityContext}'
kubectl get pod <pod> -o jsonpath='{.spec.containers[*].securityContext}'

Step 4: Apply fixes and redeploy

4.7.3 “Secrets not updating” Runbook

Symptoms: Application using old secret values

Step 1: Check External Secrets status

kubectl get externalsecrets
kubectl describe externalsecret <name>

Step 2: Verify secret store connectivity

kubectl get secretstore
kubectl describe secretstore <name>

Step 3: Check AWS Secrets Manager

aws secretsmanager describe-secret --secret-id <secret-name>
aws secretsmanager get-secret-value --secret-id <secret-name>

Step 4: Force refresh

kubectl annotate externalsecret <name> force-sync=$(date +%s)

4.8 Health probes (critical for reliable services)

Note: health probes aren’t a security topic, but they’re here because probe misconfiguration is one of the most common causes of cascading failures during deployments. Misplaced in this section, but important enough to keep rather than move.

4.8.1 Readiness Probe (Traffic Routing Control)

Purpose: “Is it a good idea to send traffic to this Pod right now?”

Common misconception: Since Kubernetes manages pods, graceful draining isn’t needed.

Reality: Without proper readiness probes:

• Traffic sent to pods before they’re ready
• Traffic continues to terminating pods
• Rolling updates cause 5xx errors

Best practices:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-service
spec:
  template:
    spec:
      containers:
      - name: app
        image: my-app:latest
        readinessProbe:
          httpGet:
            path: /health/ready
            port: 8080
          initialDelaySeconds: 10    # Wait for app to start
          periodSeconds: 5           # Check every 5s
          timeoutSeconds: 3          # 3s timeout per check
          successThreshold: 1        # 1 success = ready
          failureThreshold: 3        # 3 failures = not ready
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - |
                # Fail readiness probe immediately
                touch /tmp/shutdown
                # Wait for load balancer to update
                sleep 15

Readiness probe endpoint implementation:

// Go example
func readinessHandler(w http.ResponseWriter, r *http.Request) {
    // Check if shutdown initiated
    if _, err := os.Stat("/tmp/shutdown"); err == nil {
        http.Error(w, "Shutting down", http.StatusServiceUnavailable)
        return
    }
    
    // Check application readiness (NOT dependencies)
    if !app.IsReady() {
        http.Error(w, "Not ready", http.StatusServiceUnavailable)
        return
    }
    
    w.WriteHeader(http.StatusOK)
    w.Write([]byte("OK"))
}

Critical rule: Never depend on downstream services in readiness probes. If a database restarts, removing healthy pods from load balancers makes the outage worse.

4.8.2 Liveness Probe (Container Health Check)

Purpose: “Is the container healthy, or should we restart it?”

When to use: Only when your application can deadlock and needs restart to recover.

When NOT to use: If you don’t know why you need it, don’t configure it.

Best practices:

containers:
- name: app
  image: my-app:latest
  livenessProbe:
    httpGet:
      path: /health/live    # Different from readiness!
      port: 8080
    initialDelaySeconds: 60  # Give app time to start
    periodSeconds: 30        # Check every 30s (less frequent than readiness)
    timeoutSeconds: 5
    failureThreshold: 3      # 3 failures before restart

Liveness probe implementation:

func livenessHandler(w http.ResponseWriter, r *http.Request) {
    // Only check internal application health
    // Never check dependencies (databases, external APIs)
    
    if app.IsDeadlocked() {
        http.Error(w, "Deadlocked", http.StatusInternalServerError)
        return
    }
    
    w.WriteHeader(http.StatusOK)
    w.Write([]byte("OK"))
}

Critical rules:

• Never use the same endpoint for liveness and readiness
• Never check external dependencies in liveness probes
• Use conservative timeouts to avoid false positives under load

4.8.3 Startup Probe (Slow-Starting Applications)

Purpose: “Should we start running the liveness probe now?”

Use case: Applications that take longer to start than liveness probe allows.

containers:
- name: slow-app
  image: java-app:latest
  startupProbe:
    httpGet:
      path: /health/startup
      port: 8080
    initialDelaySeconds: 30
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 30      # Allow 5 minutes for startup (30 * 10s)
  livenessProbe:
    httpGet:
      path: /health/live
      port: 8080
    periodSeconds: 30
    timeoutSeconds: 5
    failureThreshold: 3

4.8.4 Probe Failure Troubleshooting

Common probe failures:

1. Readiness probe failing during load: ```bash

   Check probe configuration

   kubectl describe pod

Check application logs

kubectl logs --previous

Test probe endpoint manually

kubectl exec -- curl -f http://localhost:8080/health/ready

2. **Liveness probe causing restart loops:**
```bash
# Check restart count
kubectl get pods -o wide

# Check events
kubectl describe pod <pod-name>

# Increase probe timeouts temporarily
kubectl patch deployment <deployment> -p '{
  "spec": {
    "template": {
      "spec": {
        "containers": [{
          "name": "<container>",
          "livenessProbe": {
            "timeoutSeconds": 10,
            "failureThreshold": 5
          }
        }]
      }
    }
  }
}'

1. Startup probe preventing application start: ```bash

   Check startup probe status

   kubectl get pods -o jsonpath=’{.items[*].status.conditions[?(@.type==”Ready”)].message}’

Extend startup probe timeout

kubectl patch deployment -p '{ "spec": { "template": { "spec": { "containers": [{ "name": "", "startupProbe": { "failureThreshold": 60 } }] } } } }'

## 5. Storage and persistent volumes

Storage failures are different from everything else in this guide: they can mean data loss, not just downtime. What follows is the operational reality of running stateful workloads on EKS — the failure modes that catch teams off-guard.

---

### 5.1 EBS CSI Driver (The Critical Path for Stateful Workloads)

The EBS CSI driver is what makes persistent volumes work in EKS. When it fails, StatefulSets can't start, volumes can't attach, and data becomes inaccessible.

#### 5.1.1 EBS CSI Architecture and Failure Points

[Pod with PVC] ↓ (volume mount request) [Kubelet] ↓ (CSI calls) [EBS CSI Node Plugin] ↓ (AWS API calls) [EBS Volume Attach/Mount]

**Each layer can fail:**
* **Pod level**: Wrong PVC references, security context issues
* **Kubelet level**: Mount failures, device path issues
* **CSI level**: Controller crashes, node plugin issues, IAM permissions
* **AWS level**: EBS limits, AZ constraints, volume states

#### 5.1.2 Common EBS CSI Failure Modes

**A) Pods stuck in ContainerCreating**

**Symptoms:**
```bash
kubectl get pods | grep ContainerCreating
kubectl describe pod <pod-name>
# Shows: FailedMount, timeout waiting for volume to be attached

Root causes:

• Volume already attached to another node
• AZ mismatch between pod and volume
• EBS CSI controller/node plugin unhealthy
• IAM permissions missing

Diagnosis:

# Check CSI components
kubectl -n kube-system get pods | grep ebs-csi
kubectl -n kube-system logs deployment/ebs-csi-controller
kubectl -n kube-system logs daemonset/ebs-csi-node

# Check volume attachment status
kubectl get volumeattachment
kubectl describe volumeattachment <va-name>

# Check AWS side
aws ec2 describe-volumes --volume-ids <volume-id>

B) Volume attachment timeouts

Symptoms:

• Pods fail to start after node replacement
• “Multi-Attach error for volume” messages
• Long delays in pod scheduling

Common scenario:

1. Node fails/terminates unexpectedly
2. EBS volume remains “attached” to dead node
3. New pod can’t attach volume until detached
4. Detachment can take 6+ minutes

Force detachment (emergency):

# Find the volume
kubectl get pv <pv-name> -o jsonpath='{.spec.csi.volumeHandle}'

# Force detach from AWS side
aws ec2 detach-volume --volume-id <volume-id> --force

# Delete stale VolumeAttachment
kubectl delete volumeattachment <va-name>

5.1.3 EBS CSI Configuration and Tuning

Essential CSI controller configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ebs-csi-controller
  namespace: kube-system
spec:
  template:
    spec:
      containers:
      - name: ebs-plugin
        args:
        - controller
        - --endpoint=$(CSI_ENDPOINT)
        - --logtostderr
        - --v=2
        - --timeout=60s  # Increase for slow EBS operations
        env:
        - name: AWS_REGION
          value: us-west-2
        resources:
          requests:
            cpu: 10m
            memory: 40Mi
          limits:
            cpu: 100m
            memory: 256Mi

Node plugin tuning for high-density workloads:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ebs-csi-node
  namespace: kube-system
spec:
  template:
    spec:
      containers:
      - name: ebs-plugin
        args:
        - node
        - --endpoint=$(CSI_ENDPOINT)
        - --logtostderr
        - --v=2
        resources:
          requests:
            cpu: 10m
            memory: 40Mi
          limits:
            cpu: 100m
            memory: 256Mi
        securityContext:
          privileged: true
        volumeMounts:
        - name: kubelet-dir
          mountPath: /var/lib/kubelet
          mountPropagation: "Bidirectional"

5.2 Storage Classes and Dynamic Provisioning

5.2.1 Production Storage Class Configuration

GP3 with proper defaults:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gp3-retain
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: ebs.csi.aws.com
parameters:
  type: gp3
  iops: "3000"        # Baseline IOPS
  throughput: "125"   # MB/s
  encrypted: "true"
  kmsKeyId: "alias/ebs-encryption-key"
reclaimPolicy: Retain  # Prevent accidental data loss
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer  # Critical for AZ placement

High-performance storage for databases:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: io2-high-perf
provisioner: ebs.csi.aws.com
parameters:
  type: io2
  iops: "10000"
  encrypted: "true"
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer

5.2.2 Volume Binding Mode Implications

Immediate vs WaitForFirstConsumer:

Immediate (default):

• Volume created immediately when PVC is created
• Can cause AZ mismatch if pod scheduled to different AZ
• Good for pre-provisioning scenarios

WaitForFirstConsumer (recommended):

• Volume created only when pod is scheduled
• Ensures volume and pod are in same AZ
• Required for multi-AZ clusters

AZ mismatch failure example:

# PVC created with Immediate binding in us-west-2a
kubectl get pv <pv-name> -o jsonpath='{.metadata.labels.topology\.ebs\.csi\.aws\.com/zone}'
# Output: us-west-2a

# Pod scheduled to us-west-2b
kubectl get pod <pod-name> -o wide
# Shows node in us-west-2b

# Result: FailedMount due to AZ mismatch

5.3 StatefulSets and Persistent Volume Lifecycle

5.3.1 StatefulSet Volume Management

Proper StatefulSet with volume claims:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  serviceName: database
  replicas: 3
  template:
    spec:
      containers:
      - name: db
        image: postgres:13
        volumeMounts:
        - name: data
          mountPath: /var/lib/postgresql/data
        env:
        - name: POSTGRES_DB
          value: myapp
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: ["ReadWriteOnce"]
      storageClassName: gp3-retain
      resources:
        requests:
          storage: 100Gi

5.3.2 StatefulSet Scaling and Volume Orphaning

The orphaned PVC problem: When you scale down a StatefulSet, PVCs are NOT automatically deleted:

# Scale down from 5 to 3 replicas
kubectl scale statefulset database --replicas=3

# PVCs for database-3 and database-4 remain
kubectl get pvc | grep database
# database-data-0   Bound
# database-data-1   Bound  
# database-data-2   Bound
# database-data-3   Bound  # Orphaned!
# database-data-4   Bound  # Orphaned!

Manual cleanup required:

# Delete orphaned PVCs (DANGEROUS - data loss!)
kubectl delete pvc database-data-3 database-data-4

# Or retain for potential scale-up
# PVCs will be reused if you scale back up

5.3.3 StatefulSet Rolling Updates and Volume Safety

Safe rolling update configuration:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1  # Never update more than 1 pod at a time
  podManagementPolicy: OrderedReady  # Wait for each pod to be ready

Volume expansion during updates:

# Expand PVC (requires allowVolumeExpansion: true)
kubectl patch pvc database-data-0 -p '{"spec":{"resources":{"requests":{"storage":"200Gi"}}}}'

# Check expansion status
kubectl describe pvc database-data-0
# Look for: FileSystemResizePending or FileSystemResizeSuccessful

# May require pod restart to complete filesystem resize
kubectl delete pod database-0  # StatefulSet will recreate it

5.4 Backup and Disaster Recovery

5.4.1 EBS Snapshot-Based Backups

Volume Snapshot Class:

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
  name: ebs-snapshot-class
driver: ebs.csi.aws.com
deletionPolicy: Retain  # Keep snapshots even if VolumeSnapshot is deleted
parameters:
  tagSpecification_1: "Name=CreatedBy,Value=EKS-CSI"
  tagSpecification_2: "Environment=Production"

Creating snapshots:

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
  name: database-backup-20240126
spec:
  volumeSnapshotClassName: ebs-snapshot-class
  source:
    persistentVolumeClaimName: database-data-0

Restoring from snapshot:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: database-restored
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: gp3-retain
  resources:
    requests:
      storage: 100Gi
  dataSource:
    name: database-backup-20240126
    kind: VolumeSnapshot
    apiGroup: snapshot.storage.k8s.io

5.4.2 Application-Consistent Backups

Pre/post hooks for database consistency:

apiVersion: v1
kind: Pod
metadata:
  name: postgres-with-backup-hooks
  annotations:
    pre.hook.backup.velero.io/command: '["/bin/bash", "-c", "PGPASSWORD=$POSTGRES_PASSWORD pg_dump -h localhost -U $POSTGRES_USER $POSTGRES_DB > /backup/dump.sql"]'
    post.hook.backup.velero.io/command: '["/bin/bash", "-c", "rm -f /backup/dump.sql"]'
spec:
  containers:
  - name: postgres
    image: postgres:13
    volumeMounts:
    - name: data
      mountPath: /var/lib/postgresql/data
    - name: backup
      mountPath: /backup

5.4.3 Cross-Region Backup Strategy

Automated cross-region snapshot copying:

#!/bin/bash
# Copy EBS snapshots to DR region
SOURCE_REGION="us-west-2"
DR_REGION="us-east-1"

# Get recent snapshots
SNAPSHOTS=$(aws ec2 describe-snapshots \
  --region $SOURCE_REGION \
  --owner-ids self \
  --filters "Name=tag:Environment,Values=Production" \
  --query 'Snapshots[?StartTime>=`2024-01-25`].SnapshotId' \
  --output text)

for snapshot in $SNAPSHOTS; do
  echo "Copying $snapshot to $DR_REGION"
  aws ec2 copy-snapshot \
    --region $DR_REGION \
    --source-region $SOURCE_REGION \
    --source-snapshot-id $snapshot \
    --description "DR copy of $snapshot"
done

5.5 Performance and Monitoring

5.5.1 EBS Performance Characteristics

IOPS and throughput limits by volume type:

Instance-level limits also apply:

# Check instance storage performance limits
aws ec2 describe-instance-types \
  --instance-types m5.large \
  --query 'InstanceTypes[0].EbsInfo'

5.5.2 Storage Performance Monitoring

Key metrics to monitor:

# Prometheus recording rules for storage
groups:
- name: storage-performance
  rules:
  - record: ebs:iops_utilization
    expr: rate(node_disk_reads_completed_total[5m]) + rate(node_disk_writes_completed_total[5m])
    
  - record: ebs:throughput_utilization  
    expr: rate(node_disk_read_bytes_total[5m]) + rate(node_disk_written_bytes_total[5m])
    
  - record: ebs:latency_p99
    expr: histogram_quantile(0.99, rate(node_disk_io_time_seconds_total[5m]))

Storage alerts:

groups:
- name: storage-alerts
  rules:
  - alert: HighDiskLatency
    expr: ebs:latency_p99 > 0.1  # 100ms
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "High disk latency detected"
      
  - alert: EBSVolumeStuck
    expr: increase(kubelet_volume_stats_available_bytes[10m]) == 0
    for: 10m
    labels:
      severity: critical
    annotations:
      summary: "EBS volume appears stuck"

5.5.3 Storage Capacity Management

Automatic PVC expansion:

apiVersion: v1
kind: ConfigMap
metadata:
  name: pvc-autoresizer-config
data:
  config.yaml: |
    intervals:
      - name: "5min"
        interval: 5m
    rules:
      - name: "expand-when-80-percent-full"
        selector:
          matchLabels:
            app: database
        thresholds:
          - threshold: 80
            increase: "20%"
          - threshold: 90
            increase: "50%"

5.6 Multi-AZ and Cross-AZ Storage Patterns

5.6.1 EBS Volume AZ Constraints

The fundamental constraint: EBS volumes are AZ-specific and cannot be attached to instances in different AZs.

Impact on StatefulSets:

# This will fail if pods get scheduled across AZs
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  replicas: 3
  template:
    spec:
      # No AZ constraints = pods can land anywhere
      # But PVCs are bound to specific AZs
      containers:
      - name: db
        image: postgres:13

Solution - AZ-aware scheduling:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  replicas: 3
  template:
    spec:
      topologySpreadConstraints:
      - maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: database
      containers:
      - name: db
        image: postgres:13

5.6.2 Cross-AZ Data Replication Patterns

For databases requiring cross-AZ replication:

# Primary in us-west-2a
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres-primary
spec:
  replicas: 1
  template:
    spec:
      nodeSelector:
        topology.kubernetes.io/zone: us-west-2a
      containers:
      - name: postgres
        image: postgres:13
        env:
        - name: POSTGRES_REPLICATION_MODE
          value: master

---
# Replica in us-west-2b  
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres-replica
spec:
  replicas: 1
  template:
    spec:
      nodeSelector:
        topology.kubernetes.io/zone: us-west-2b
      containers:
      - name: postgres
        image: postgres:13
        env:
        - name: POSTGRES_REPLICATION_MODE
          value: slave
        - name: POSTGRES_MASTER_SERVICE
          value: postgres-primary

5.7 Storage Troubleshooting Runbooks

5.7.1 “Pod stuck in ContainerCreating” Runbook

Symptoms: Pod won’t start, stuck in ContainerCreating state

Step 1: Check pod events

kubectl describe pod <pod-name>
# Look for: FailedMount, timeout, volume attachment errors

Step 2: Check PVC status

kubectl get pvc <pvc-name>
kubectl describe pvc <pvc-name>
# Status should be "Bound"

Step 3: Check VolumeAttachment

kubectl get volumeattachment
kubectl describe volumeattachment <va-name>
# Look for attachment errors

Step 4: Check CSI components

kubectl -n kube-system get pods | grep ebs-csi
kubectl -n kube-system logs deployment/ebs-csi-controller
kubectl -n kube-system logs daemonset/ebs-csi-node -c ebs-plugin

Step 5: Check AWS EBS volume

# Get volume ID from PV
kubectl get pv <pv-name> -o jsonpath='{.spec.csi.volumeHandle}'

# Check volume status
aws ec2 describe-volumes --volume-ids <volume-id>
# State should be "available" or "in-use"

5.7.2 “Volume attachment timeout” Runbook

Symptoms: Long delays in pod startup, attachment timeout errors

Step 1: Identify stuck attachment

kubectl get volumeattachment -o wide
# Look for old attachments with "Attaching" status

Step 2: Check if volume is stuck on dead node

aws ec2 describe-volumes --volume-ids <volume-id> \
  --query 'Volumes[0].Attachments'
# Check if attached to non-existent instance

Step 3: Force detachment (if safe)

# Verify the instance is really dead
aws ec2 describe-instances --instance-ids <instance-id>

# Force detach
aws ec2 detach-volume --volume-id <volume-id> --force

# Clean up VolumeAttachment
kubectl delete volumeattachment <va-name>

Step 4: Verify pod can start

kubectl get pod <pod-name>
# Should transition to Running

5.7.3 “PVC expansion stuck” Runbook

Symptoms: PVC shows larger size but pod still sees old size

Step 1: Check PVC conditions

kubectl describe pvc <pvc-name>
# Look for: FileSystemResizePending, VolumeResizeSuccessful

Step 2: Check if pod restart is needed

# Some filesystems require pod restart to complete resize
kubectl get pod <pod-name> -o jsonpath='{.metadata.creationTimestamp}'
kubectl get pvc <pvc-name> -o jsonpath='{.status.conditions[?(@.type=="FileSystemResizePending")].lastTransitionTime}'

Step 3: Restart pod if needed

kubectl delete pod <pod-name>
# StatefulSet/Deployment will recreate it

Step 4: Verify expansion completed

kubectl exec <pod-name> -- df -h /data
# Should show new size

6. Observability and monitoring

When monitoring is broken you can’t tell the difference between “the app is slow” and “the cluster is degraded”. This is about building observability that actually helps during incidents, not dashboards that look good in screenshots.

6.1 The EKS Observability Stack (What You Actually Need)

6.1.1 Metrics Collection Architecture

[Application Metrics] → [Prometheus] → [Long-term Storage] → [Alerting/Dashboards]
[System Metrics] → [Node Exporter] ↗
[Kubernetes Metrics] → [kube-state-metrics] ↗
[AWS Metrics] → [CloudWatch] → [Prometheus via adapter] ↗

You need metrics at multiple layers because EKS failures can happen at any level:

• Application layer (your code)
• Kubernetes layer (pods, services, ingress)
• Node layer (CPU, memory, disk, network)
• AWS layer (EBS, ENI, load balancers)

6.1.2 Essential Metrics Components

Core Prometheus stack:

# Prometheus server configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-config
data:
  prometheus.yml: |
    global:
      scrape_interval: 15s
      evaluation_interval: 15s
    
    rule_files:
    - "/etc/prometheus/rules/*.yml"
    
    scrape_configs:
    # Kubernetes API server
    - job_name: 'kubernetes-apiservers'
      kubernetes_sd_configs:
      - role: endpoints
      scheme: https
      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      relabel_configs:
      - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
        action: keep
        regex: default;kubernetes;https
    
    # Node metrics
    - job_name: 'kubernetes-nodes'
      kubernetes_sd_configs:
      - role: node
      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
    
    # Pod metrics
    - job_name: 'kubernetes-pods'
      kubernetes_sd_configs:
      - role: pod
      relabel_configs:
      - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
        action: keep
        regex: true
      - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
        action: replace
        target_label: __metrics_path__
        regex: (.+)

Node exporter for system metrics:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter
spec:
  selector:
    matchLabels:
      app: node-exporter
  template:
    metadata:
      labels:
        app: node-exporter
    spec:
      hostNetwork: true
      hostPID: true
      containers:
      - name: node-exporter
        image: prom/node-exporter:v1.6.1
        args:
        - --path.procfs=/host/proc
        - --path.sysfs=/host/sys
        - --path.rootfs=/host/root
        - --collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)
        - --collector.netdev.device-exclude=^(veth.*|docker.*|br-.*|lo)$$
        - --collector.conntrack  # Critical for connection tracking issues
        - --collector.ethtool     # AWS ENA metrics
        - --collector.ethtool.metrics-include=^(ena_.*|.*_exceeded)$$
        ports:
        - containerPort: 9100
          hostPort: 9100
        volumeMounts:
        - name: proc
          mountPath: /host/proc
          readOnly: true
        - name: sys
          mountPath: /host/sys
          readOnly: true
        - name: root
          mountPath: /host/root
          readOnly: true
      volumes:
      - name: proc
        hostPath:
          path: /proc
      - name: sys
        hostPath:
          path: /sys
      - name: root
        hostPath:
          path: /

6.2 EKS-Specific Monitoring (The Metrics That Matter)

6.2.1 Control Plane Monitoring

API Server health:

# Critical API server alerts
groups:
- name: kubernetes-apiserver
  rules:
  - alert: KubernetesApiServerDown
    expr: up{job="kubernetes-apiservers"} == 0
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "Kubernetes API server is down"
      
  - alert: KubernetesApiServerLatency
    expr: histogram_quantile(0.99, sum(rate(apiserver_request_duration_seconds_bucket[5m])) by (le, verb)) > 1
    for: 10m
    labels:
      severity: warning
    annotations:
      summary: "Kubernetes API server high latency"
      
  - alert: KubernetesApiServerErrors
    expr: sum(rate(apiserver_request_total{code=~"5.."}[5m])) / sum(rate(apiserver_request_total[5m])) > 0.05
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "Kubernetes API server error rate > 5%"

6.2.2 Node-Level Monitoring

AWS-specific node metrics:

# AWS ENA network limits
groups:
- name: aws-node-limits
  rules:
  - alert: AWSNetworkLimitExceeded
    expr: rate(node_ethtool_conntrack_allowance_exceeded[5m]) > 0
    for: 1m
    labels:
      severity: critical
    annotations:
      summary: "AWS connection tracking limit exceeded on "
      
  - alert: AWSLinkLocalLimitExceeded
    expr: rate(node_ethtool_linklocal_allowance_exceeded[5m]) > 5
    for: 1m
    labels:
      severity: warning
    annotations:
      summary: "AWS link-local rate limit exceeded on "
      
  - alert: AWSBandwidthLimitExceeded
    expr: rate(node_ethtool_bw_in_allowance_exceeded[5m]) > 0 or rate(node_ethtool_bw_out_allowance_exceeded[5m]) > 0
    for: 1m
    labels:
      severity: warning
    annotations:
      summary: "AWS bandwidth limit exceeded on "

Connection tracking monitoring:

# Conntrack exhaustion alerts
- alert: ConntrackTableFull
  expr: (node_nf_conntrack_entries / node_nf_conntrack_entries_limit) > 0.8
  for: 5m
  labels:
    severity: warning
  annotations:
    summary: "Conntrack table 80% full on "
    
- alert: ConntrackTableNearlyFull
  expr: (node_nf_conntrack_entries / node_nf_conntrack_entries_limit) > 0.95
  for: 1m
  labels:
    severity: critical
  annotations:
    summary: "Conntrack table 95% full on "

6.2.3 Pod and Container Monitoring

Container resource monitoring:

# Container resource alerts
groups:
- name: container-resources
  rules:
  - alert: ContainerHighCPUUsage
    expr: (sum(rate(container_cpu_usage_seconds_total{container!=""}[5m])) by (namespace, pod, container) / sum(container_spec_cpu_quota{container!=""}/container_spec_cpu_period{container!=""}) by (namespace, pod, container)) > 0.9
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Container // high CPU usage"
      
  - alert: ContainerHighMemoryUsage
    expr: (container_memory_working_set_bytes{container!=""} / container_spec_memory_limit_bytes{container!=""}) > 0.9
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Container // high memory usage"
      
  - alert: ContainerOOMKilled
    expr: increase(kube_pod_container_status_restarts_total[5m]) > 0 and on(namespace, pod, container) kube_pod_container_status_last_terminated_reason{reason="OOMKilled"} == 1
    for: 0m
    labels:
      severity: warning
    annotations:
      summary: "Container // was OOM killed"

6.3 DNS and Service Discovery Monitoring

6.3.1 CoreDNS Performance Monitoring

CoreDNS metrics collection:

# CoreDNS monitoring
- job_name: 'coredns'
  kubernetes_sd_configs:
  - role: endpoints
  relabel_configs:
  - source_labels: [__meta_kubernetes_service_name]
    action: keep
    regex: kube-dns
  - source_labels: [__meta_kubernetes_endpoint_port_name]
    action: keep
    regex: metrics

CoreDNS alerts:

groups:
- name: coredns
  rules:
  - alert: CoreDNSDown
    expr: up{job="coredns"} == 0
    for: 1m
    labels:
      severity: critical
    annotations:
      summary: "CoreDNS is down"
      
  - alert: CoreDNSHighLatency
    expr: histogram_quantile(0.99, sum(rate(coredns_dns_request_duration_seconds_bucket[5m])) by (le)) > 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "CoreDNS high latency (99th percentile > 100ms)"
      
  - alert: CoreDNSHighErrorRate
    expr: sum(rate(coredns_dns_responses_total{rcode!="NOERROR"}[5m])) / sum(rate(coredns_dns_responses_total[5m])) > 0.05
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "CoreDNS error rate > 5%"

6.3.2 Service Discovery Health Checks

Synthetic DNS monitoring:

apiVersion: v1
kind: Pod
metadata:
  name: dns-monitor
  labels:
    app: dns-monitor
spec:
  containers:
  - name: monitor
    image: busybox
    command:
    - /bin/sh
    - -c
    - |
      while true; do
        # Test internal DNS
        if nslookup kubernetes.default.svc.cluster.local; then
          echo "internal_dns_success 1" | nc -u -w1 prometheus-pushgateway 9091
        else
          echo "internal_dns_success 0" | nc -u -w1 prometheus-pushgateway 9091
        fi
        
        # Test external DNS
        if nslookup google.com; then
          echo "external_dns_success 1" | nc -u -w1 prometheus-pushgateway 9091
        else
          echo "external_dns_success 0" | nc -u -w1 prometheus-pushgateway 9091
        fi
        
        sleep 30
      done

6.4 AWS Integration Monitoring

6.4.1 Load Balancer Monitoring

ALB/NLB CloudWatch metrics:

# CloudWatch exporter configuration for ALB metrics
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudwatch-exporter-config
data:
  config.yml: |
    region: us-west-2
    metrics:
    # ALB metrics
    - aws_namespace: AWS/ApplicationELB
      aws_metric_name: TargetResponseTime
      aws_dimensions: [LoadBalancer]
      aws_statistics: [Average]
      
    - aws_namespace: AWS/ApplicationELB
      aws_metric_name: HTTPCode_Target_5XX_Count
      aws_dimensions: [LoadBalancer]
      aws_statistics: [Sum]
      
    # NLB metrics  
    - aws_namespace: AWS/NetworkELB
      aws_metric_name: TCP_ELB_Reset_Count
      aws_dimensions: [LoadBalancer]
      aws_statistics: [Sum]
      
    # NAT Gateway metrics
    - aws_namespace: AWS/NatGateway
      aws_metric_name: IdleTimeoutCount
      aws_dimensions: [NatGatewayId]
      aws_statistics: [Sum]

Load balancer alerts:

groups:
- name: aws-loadbalancer
  rules:
  - alert: ALBHighLatency
    expr: aws_applicationelb_target_response_time_average > 1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "ALB  high response time"
      
  - alert: ALBHighErrorRate
    expr: rate(aws_applicationelb_httpcode_target_5_xx_count_sum[5m]) > 10
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "ALB  high 5xx error rate"
      
  - alert: NLBConnectionResets
    expr: rate(aws_networkelb_tcp_elb_reset_count_sum[5m]) > 5
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "NLB  connection resets detected"

6.4.2 EBS and Storage Monitoring

EBS performance metrics:

# EBS CloudWatch metrics
- aws_namespace: AWS/EBS
  aws_metric_name: VolumeReadOps
  aws_dimensions: [VolumeId]
  aws_statistics: [Sum]
  
- aws_namespace: AWS/EBS
  aws_metric_name: VolumeWriteOps
  aws_dimensions: [VolumeId]
  aws_statistics: [Sum]
  
- aws_namespace: AWS/EBS
  aws_metric_name: VolumeTotalReadTime
  aws_dimensions: [VolumeId]
  aws_statistics: [Sum]
  
- aws_namespace: AWS/EBS
  aws_metric_name: BurstBalance
  aws_dimensions: [VolumeId]
  aws_statistics: [Average]

Storage alerts:

groups:
- name: ebs-storage
  rules:
  - alert: EBSBurstBalanceLow
    expr: aws_ebs_burst_balance_average < 20
    for: 10m
    labels:
      severity: warning
    annotations:
      summary: "EBS volume  burst balance low"
      
  - alert: EBSHighLatency
    expr: (aws_ebs_volume_total_read_time_sum + aws_ebs_volume_total_write_time_sum) / (aws_ebs_volume_read_ops_sum + aws_ebs_volume_write_ops_sum) > 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "EBS volume  high latency"

6.5 Application Performance Monitoring

6.5.1 Golden Signals for Kubernetes Workloads

The four golden signals adapted for Kubernetes:

1. Latency - Request duration
2. Traffic - Request rate
3. Errors - Error rate
4. Saturation - Resource utilization

Application metrics instrumentation:

# Example application with Prometheus metrics
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
    spec:
      containers:
      - name: app
        image: myapp:latest
        ports:
        - containerPort: 8080
        env:
        - name: METRICS_ENABLED
          value: "true"

Golden signals alerts:

groups:
- name: golden-signals
  rules:
  # Latency
  - alert: HighRequestLatency
    expr: histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service)) > 0.5
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "High request latency for "
      
  # Traffic
  - alert: LowTrafficVolume
    expr: sum(rate(http_requests_total[5m])) by (service) < 1
    for: 10m
    labels:
      severity: warning
    annotations:
      summary: "Low traffic volume for "
      
  # Errors
  - alert: HighErrorRate
    expr: sum(rate(http_requests_total{status=~"5.."}[5m])) by (service) / sum(rate(http_requests_total[5m])) by (service) > 0.05
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "High error rate for "
      
  # Saturation
  - alert: HighCPUSaturation
    expr: avg(rate(container_cpu_usage_seconds_total[5m])) by (namespace, pod) > 0.8
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "High CPU saturation for /"

6.5.2 Distributed Tracing Integration

Jaeger deployment for EKS:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jaeger
spec:
  template:
    spec:
      containers:
      - name: jaeger
        image: jaegertracing/all-in-one:latest
        env:
        - name: COLLECTOR_ZIPKIN_HTTP_PORT
          value: "9411"
        - name: SPAN_STORAGE_TYPE
          value: "elasticsearch"
        - name: ES_SERVER_URLS
          value: "http://elasticsearch:9200"
        ports:
        - containerPort: 16686  # UI
        - containerPort: 14268  # HTTP collector
        - containerPort: 6831   # UDP agent

6.6 Log Aggregation and Analysis

6.6.1 Centralized Logging Architecture

Fluent Bit for log collection:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: fluent-bit
spec:
  template:
    spec:
      containers:
      - name: fluent-bit
        image: fluent/fluent-bit:2.1.10
        volumeMounts:
        - name: varlog
          mountPath: /var/log
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
        - name: fluent-bit-config
          mountPath: /fluent-bit/etc/
        env:
        - name: FLUENT_ELASTICSEARCH_HOST
          value: "elasticsearch"
        - name: FLUENT_ELASTICSEARCH_PORT
          value: "9200"
      volumes:
      - name: varlog
        hostPath:
          path: /var/log
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: fluent-bit-config
        configMap:
          name: fluent-bit-config

Fluent Bit configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: fluent-bit-config
data:
  fluent-bit.conf: |
    [SERVICE]
        Flush         1
        Log_Level     info
        Daemon        off
        Parsers_File  parsers.conf
        HTTP_Server   On
        HTTP_Listen   0.0.0.0
        HTTP_Port     2020

    [INPUT]
        Name              tail
        Path              /var/log/containers/*.log
        Parser            cri
        Tag               kube.*
        Refresh_Interval  5
        Mem_Buf_Limit     50MB
        Skip_Long_Lines   On

    [FILTER]
        Name                kubernetes
        Match               kube.*
        Kube_URL            https://kubernetes.default.svc:443
        Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
        Merge_Log           On
        K8S-Logging.Parser  On
        K8S-Logging.Exclude Off

    [OUTPUT]
        Name  es
        Match *
        Host  ${FLUENT_ELASTICSEARCH_HOST}
        Port  ${FLUENT_ELASTICSEARCH_PORT}
        Index fluent-bit
        Type  _doc