# EKS Issues

<details>

<summary>EKS creation fails with 'Cross-account pass role is not allowed.' in activity log</summary>

### Reason

This error happens if the AWS Cloud Account you have chosen at the time of cluster creation is different from the one where the cluster role and the node pool roles were created.

<img src="https://downloads.intercomcdn.com/i/o/287516988/b49ffc7be7c414dedc095686/gp-eks-cross-account-error.png" alt="" data-size="original">

### Resolution

Delete the cluster and recreate it by choosing the right AWS Account.

</details>

<details>

<summary>Application access endpoint is missing for application launched on EKS with ALB</summary>

### Scenario <a href="#h_9be640d810" id="h_9be640d810"></a>

When an application is launched on AWS EKS with ALB using gopaddle, the access endpoint for the application does not show a valid URL.

<img src="https://downloads.intercomcdn.com/i/o/513876076/7528f84bd23a6f24562e5779/Screenshot+2022-05-16+at+7.05.05+PM.png" alt="" data-size="original">

Under the application view page, the endpoint show 'AWS Application Load Balancer'.

Application, Service, its replicas and containers are in a running state. However, under the application Activities page, an IngressWarning is observed. Expanding on the warning, shows the error message "Failed build model due to WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403"

<img src="https://downloads.intercomcdn.com/i/o/513861939/577feeeae1016ccb4950b331/Screenshot+2022-05-16+at+6.49.01+PM.png" alt="" data-size="original">

### Reason <a href="#h_6c4022d5cc" id="h_6c4022d5cc"></a>

The ALB ARN used while creating the EKS cluster does not match the cluster details. Check the cluster view page and check the section Kube Master. Note down the Cluster ID and the region details.

<img src="https://downloads.intercomcdn.com/i/o/513874809/61cb02a4352fe54e82b7c556/Screenshot+2022-05-16+at+7.06.24+PM.png" alt="" data-size="original">

Under the ALB Cloud Formation Template section. Under the AmazonEKSLoadBalancerControllerRole in the Principal section for the ARN. Verify if the cluster ID and the region details match.

<img src="https://downloads.intercomcdn.com/i/o/513874985/1b47db108c9aec3856bd2298/Screenshot+2022-05-16+at+7.06.39+PM.png" alt="" data-size="original">

This could be because of uploading a wrong ALB Cloud Formation Template through gopaddle UI at the time of installing ALB controller in the newly created EKS cluster.

### Resolution <a href="#h_591179bd91" id="h_591179bd91"></a>

Currently gopaddle does not support updating the ARN. The cluster needs to be deleted and re-created. Once the new cluster is created, download the ALB template and make sure the right ALB template is uploaded while installing the ALB controller.

</details>

<details>

<summary>Creating an EKS Cluster fails with 'Cannot create a VPC'</summary>

### Scenario <a href="#scenario" id="scenario"></a>

Creating an EKS cluster through gopaddle fails with the error "Cannot create a VPC". The cluster moves to Unknown status and the Activity Logs shows the below messages.

<img src="https://downloads.intercomcdn.com/i/o/214617242/39f8d97ccd2810285aee4c9b/gp-vpccreation-failed.png" alt="" data-size="original">

### Solution <a href="#solution" id="solution"></a>

The above issue could happen for various reasons. To identify the exact cause of failure, select the Stack Logs section and choose VPC Stack from the drop down. In this scenario, you can find the corresponding reason for CREATE\_FAILED as "API: ec2:ModifySubnetAttribute You are not authorized to perform this operation."

<img src="https://downloads.intercomcdn.com/i/o/214617342/88d99c7f9a851d6ed5a7255b/gp-subnetpermission-missing.png" alt="" data-size="original">

This indicates that the IAM User used to register the corresponding AWS Cloud Account needs ec2:ModifySubnetAttribute to update the subnets within the VPC. Once the IAM user is updated with the new permission, create a new cluster once again from the gopaddle portal.

</details>

<details>

<summary>Creating an EKS cluster fails with "The security token included in the request is invalid"</summary>

### Scenario <a href="#scenario" id="scenario"></a>

Creating an EKS cluster through gopaddle fails with the error "The security token included in the request is invalid". The cluster moves to Unknown status and the Activity Logs shows the below messages.

<img src="https://downloads.intercomcdn.com/i/o/207092484/64286d5538e2dc17bac569a9/gp-eks-securitytoken.png" alt="" data-size="original">

### Solution <a href="#solution" id="solution"></a>

The above issue happens when either the master or the node pool ARN is incorrect. Recreate the Cluster with valid ARNs.

</details>

<details>

<summary>Node Pool is not created while creating an EKS Cluster</summary>

### Scenario

While creating an EKS cluster, Cluster moves to Running state but the node pool is not created.

<img src="https://downloads.intercomcdn.com/i/o/208292432/2dbb4957b4b1ee5bd82e2dc3/eks-no-nodepool.png" alt="" data-size="original">

Under Activity Logs, Event GETTING\_EKS\_CLUSTER\_KUBEVERSION fails with timeout message as below:<br>

<img src="https://downloads.intercomcdn.com/i/o/208292550/a338d8145c9f78ad8321b20b/eks-gettingversion-failed.png" alt="" data-size="original">

\
In the Cloud Account section, Accessibility Check shows Failed status.<br>

<img src="https://downloads.intercomcdn.com/i/o/208290846/f4fe8f1fd8f709d25ef45815/eks-unverified.png" alt="" data-size="original">

This happens when EKS Cluster takes too long to respond with its Kubernetes version. This may happen due to network delays or when EKS cluster is not in ready state.

### Solution

Click on Verfiy option to Accessibility Check. Once the Accessibility is verified, you can start creating a node pool under the Node Pool section.

<img src="https://downloads.intercomcdn.com/i/o/208293925/81095dc91d2fc17886d546b5/eks-verified.png" alt="" data-size="original">

<br>

</details>

<details>

<summary>Deleting a Node pool in EKS fails</summary>

## Scenario <a href="#scenario" id="scenario"></a>

Deleting a node pool in EKS cluster fails and the node pool is moved to "Failed" state, however the nodes within the pool are deleted.

<img src="https://downloads.intercomcdn.com/i/o/182422597/5ad10ef2d70131af124ce940/gp-nodepool-delete-fail.png" alt="" data-size="original">

The Activity log show the following failure message.

<img src="https://downloads.intercomcdn.com/i/o/182423047/fb064dbc00b74f2296a3d68b/gp-nodepool-activitylog.png" alt="" data-size="original">

\
This happens when an application is deployed on the EKS cluster and is scheduled on the nodepool which is being deleted. The network interfaces for the nodepool are not deleted automatically. Security group has a dependency on the Network interface and thus the node pool deletion fails with a Dependency Violation error.

## Solution <a href="#solution" id="solution"></a>

```
Deleting a nodepool when in use can cause unpredictable application behavior.
```

1. Detach and Delete the network interfaces from the AWS console directly.
2. Delete the nodepool from the gopaddle console or from the AWS console.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.gopaddle.io/troubleshooting/eks-issues.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.