CNI metrics helper
The CNI metrics helper is a tool that you can use to scrape network interface and IP
address information, aggregate metrics at the cluster level, and publish the metrics to
Amazon CloudWatch. To learn more about the metrics helper, see cni-metrics-helper
When managing an Amazon EKS cluster, you may want to know how many IP addresses have been assigned and how many are available. The CNI metrics helper helps you to:
-
Track these metrics over time
-
Troubleshoot and diagnose issues related to IP assignment and reclamation
-
Provide insights for capacity planning
When a node is provisioned, the CNI plugin automatically allocates a pool of secondary IP
addresses from the node’s subnet to the primary network interface (eth0
). This
pool of IP addresses is known as the warm pool, and its size is
determined by the node’s instance type. For example, a c4.large
instance can
support three network interfaces and nine IP addresses per interface. The number of IP
addresses available for a given pod is one less than the maximum (of ten) because one of the
IP addresses is reserved for the elastic network interface itself. For more information, see
IP Addresses Per Network
Interface Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
As the pool of IP addresses is depleted, the plugin automatically attaches another elastic network interface to the instance and allocates another set of secondary IP addresses to that interface. This process continues until the node can no longer support additional elastic network interfaces.
The following metrics are collected for your cluster and exported to CloudWatch:
-
The maximum number of network interfaces that the cluster can support
-
The number of network interfaces have been allocated to pods
-
The number of IP addresses currently assigned to pods
-
The total and maximum numbers of IP addresses available
-
The number of ipamD errors
Prerequisites
-
An existing AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see Create an IAM OIDC provider for your cluster.
-
Version 2.6.3 or later or 1.23.11 or later of the AWS CLI installed and configured on your computer or AWS CloudShell. For more information, see Installing, updating, and uninstalling the AWS CLI and Quick configuration with
aws configure
in the AWS Command Line Interface User Guide. -
The
kubectl
command line tool installed on your computer or AWS CloudShell. The version must be the same, or up to two versions later than your cluster version. To install or upgradekubectl
, see Installing kubectl. -
If your cluster is 1.21 or later, make sure that your Amazon VPC CNI,
kube-proxy
, andCoreDNS
add-ons are at the minimum versions listed in Service account tokens.
Deploy the CNI metrics helper
Create an IAM policy and role and deploy the metrics helper.
To deploy the CNI metrics helper
-
Create an IAM policy that grants the CNI metrics helper
cloudwatch:PutMetricData
permissions to send metric data to CloudWatch.-
Copy the following contents to a file named
.cni-metrics-helper-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ] }
-
Create an IAM policy named
.AmazonEKSVPCCNIMetricsHelperPolicy
aws iam create-policy --policy-name
AmazonEKSVPCCNIMetricsHelperPolicy
\ --description "Grants permission to write metrics to CloudWatch" \ --policy-document file://cni-metrics-helper-policy.json
-
-
Create an IAM role and attach the IAM policy to it. Create a Kubernetes service account. Annotate the Kubernetes service account with the IAM role ARN and the IAM role with the Kubernetes service account name. You can create the role using
eksctl
or the AWS CLI. -
Use the following command for the AWS Region that your cluster is in to add the recommended version of the CNI metrics helper to your cluster.
Important You should only update one minor version at a time. For example, if your current minor version is
1.9
and you want to update to1.11
, you should update to1.10
first, then update to1.11
by changing the version number in one of the following commands.The recommended and latest version work with all Amazon EKS supported Kubernetes versions.
China (Beijing) (
cn-north-1
) or China (Ningxia) (cn-northwest-1
)kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v
1.11.0
/config/master/cni-metrics-helper-cn.yamlAWS GovCloud (US-East) (
us-gov-east-1
)kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v
1.11.0
/config/master/cni-metrics-helper-us-gov-east-1.yamlAWS GovCloud (US-West) (
us-gov-west-1
)kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v
1.11.0
/config/master/cni-metrics-helper-us-gov-west-1.yamlAll other AWS Regions
-
Download the manifest file.
curl -o cni-metrics-helper.yaml https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v
1.11.0
/config/master/cni-metrics-helper.yaml -
If your cluster isn't in
us-west-2
, then replace
in the following command with the AWS Region that your cluster is in and then run the modified command to replaceregion-code
us-west-2
in the file with your AWS Region.sed -i.bak -e 's/us-west-2/
region-code
/' cni-metrics-helper.yaml -
If your cluster isn't in
us-west-2
, then replace
in the following command with the account from Amazon container image registries for the AWS Region that your cluster is in and then run the modified command to replace602401143452
602401143452
in the file.sed -i.bak -e 's/602401143452/
602401143452
/' cni-metrics-helper.yaml -
Apply the manifest file to your cluster.
kubectl apply -f cni-metrics-helper.yaml
-
-
Annotate the
cni-metrics-helper
Kubernetes service account created in a previous step with the ARN of the IAM role that you created previously. Replace
with your account ID,111122223333
my-cluster
with your cluster name, andAmazonEKSVPCCNIMetricsHelperRole
with the name of the IAM role that you created in a previous step.kubectl annotate serviceaccount cni-metrics-helper \ -n kube-system \ eks.amazonaws.com/role-arn=arn:aws:iam::
111122223333
:role/AmazonEKSVPCCNIMetricsHelperRole
(Optional) Configure the AWS Security Token Service endpoint type used by your Kubernetes service account. For more information, see Configure the AWS Security Token Service endpoint for a service account.
-
Restart the
cni-metrics-helper
deployment.kubectl rollout restart \ deployment cni-metrics-helper \ -n kube-system
Creating a metrics dashboard
After you have deployed the CNI metrics helper, you can view the CNI metrics in the CloudWatch console. This topic helps you to create a dashboard for viewing your cluster's CNI metrics.
To create a CNI metrics dashboard
-
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the left navigation pane, choose Metrics and then select All metrics.
-
Under Custom Namespaces, select Kubernetes.
-
Select CLUSTER_ID.
-
On the Metrics tab, select the metrics you want to add to the dashboard.
-
At the upper right of the console, select Actions, and then Add to dashboard.
-
In the Select a dashboard section, select Create new, enter a name for your dashboard, such as
EKS-CNI-metrics
, and then select Create. -
In the Widget type section, select Number.
-
In the Customize widget title section, enter a logical name for your dashboard title, such as
EKS CNI metrics
. -
Select Add to dashboard to finish. Now your CNI metrics are added to a dashboard that you can monitor, as shown below.