CRE-2025-0057

Verbose Logging in AWS Network Policy Agent During Policy VerdictsLow

Impact: 3/10

Mitigation: 1/10

CRE-2025-0057View on GitHub

AWSVPC CNILog Noise

Description

• When using AWS Network Policy Agent with VPC CNI addon v1.17.1, the log message `failed to get caller` may appear frequently.
• This behavior correlates with policy verdicts being evaluated, and the volume increases in environments with higher traffic or more active policies.
• The issue does not indicate functional failure, but it increases log volume and may obscure real issues.

Cause

• A logging bug in version v1.1.1 of the AWS Network Policy Agent caused excessive error messages during policy verdict processing.
• The error message appears when the agent fails to resolve caller metadata but continues functioning normally.

Mitigation

• Upgrade to AWS Network Policy Agent v1.1.2 or later, where the issue is resolved.
• Upgrade the VPC CNI addon to v1.18.2 or later, which includes the fixed version of the agent.
• If immediate upgrade is not possible, use log filtering or rate‑limiting in your logging pipeline to reduce noise.

References

• https://github.com/aws/aws-network-policy-agent/issues/103
• https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.18.2