Coexistence with Security Groups Per Pod #233
Description
EKS has a component called Security Groups Per Pod that allows you to set a unique security group for each pod.
When using this function, the behavior is to write branch ENI to the annotation, but when inserting APM using agent-operator, agent-operator also writes information to the annotation in the same way.
If there is a situation where these resources are used at the same time, the following errors will occur and the Pod will fail to start.
Warning BranchENIAnnotationFailed 5s (x12 over 15s) vpc-resource-controller
failed to annotate pod with branch ENI details: Pod "<Pod Name>" is invalid: spec:
Forbidden: pod updates may not change fields other than
`spec.containers[*].image`,`spec.initContainers[*].image`,
`spec.activeDeadlineSeconds`,`spec.tolerations`
(only additions to existing tolerations),`spec.terminationGracePeriodSeconds`
(allow it to be set to 1 if it was previously negative)At present, it seems that the only workaround is to use a normal APM, and I am looking for a workaround for this.
Thanks you.