Tag: AWS

Amazon Web Services

ID	Title	Description	Category	Technology	Tags
CRE-2025-0026 Low Impact: 6/10 Mitigation: 1/10	AWS EBS CSI Driver fails to detach volume when VolumeAttachment has empty nodeName	In clusters using the AWS EBS CSI driver, the controller may fail to detach a volume if the associated VolumeAttachment resource has an empty `spec.nodeName`. This results in a log error and skipped detachment, which may block PVC reuse or node cleanup.	Storage	eks-nodeagent	ebs csi AWS Storage Public
CRE-2025-0029 Low Impact: 6/10 Mitigation: 5/10	Loki fails to retrieve AWS credentials when specifying S3 endpoint with IRSA	When deploying Grafana Loki with AWS S3 as the storage backend and specifying a custom S3 endpoint (e.g., for FIPS compliance or GovCloud regions), Loki may fail to retrieve AWS credentials via IAM Roles for Service Accounts (IRSA). This results in errors during startup or when attempting to upload index tables, preventing Loki from functioning correctly.	Storage	loki	Loki S3 AWS Irsa Storage Authentication Helm Public
CRE-2025-0057 Low Impact: 3/10 Mitigation: 1/10	Verbose Logging in AWS Network Policy Agent During Policy Verdicts	When using AWS Network Policy Agent with VPC CNI addon v1.17.1, the log message `failed to get caller` may appear frequently. This behavior correlates with policy verdicts being evaluated, and the volume increases in environments with higher traffic or more active policies. The issue does not indicate functional failure, but it increases log volume and may obscure real issues.	Logging Problems	eks-nodeagent	AWS VPC CNI Log Noise
CRE-2025-0061 Medium Impact: 7/10 Mitigation: 4/10	Karpenter Stability Issues on EKS During Leader Election	EKS may be able to handle steady, predictable scale, but struggles during large‑scale auto scaling events when many workloads and nodes are spinning up or down simultaneously. This instability affects components that implement leader election using the Kubernetes API, such as: aws‑load‑balancer‑controller karpenter keda‑operator ebs‑csi‑controller efs‑csi‑controller	Stability Problems	karpenter	Karpenter KEDA AWS EKS
CRE-2025-0112 Critical Impact: 10/10 Mitigation: 4/10	AWS VPC CNI Node IP Pool Depletion Crisis	Critical AWS VPC CNI node IP pool depletion detected causing cascading pod scheduling failures.This pattern indicates severe subnet IP address exhaustion combined with ENI allocation failures,leading to complete cluster networking breakdown. The failure sequence shows ipamd errors,kubelet scheduling failures, and controller-level pod creation blocks that render clustersunable to deploy new workloads, scale existing services, or recover from node failures.This represents one of the most severe Kubernetes infrastructure failures, often requiringimmediate manual intervention including subnet expansion, secondary CIDR provisioning,or emergency workload termination to restore cluster functionality.	VPC CNI Problems	aws-vpc-cni	AWS EKS Kubernetes Networking VPC CNI AWS CNI IP Exhaustion ENI Allocation Subnet Exhaustion Pod Scheduling Failure Cluster Paralysis AWS API Limits Known Problem Critical Infrastructure Service Outage Cascading Failure Capacity Exceeded Scalability Issue Revenue Impact Compliance Violation Threshold Exceeded Infrastructure Public
CRE-2025-0122 Critical Impact: 10/10 Mitigation: 6/10	AWS VPC CNI IP Address Exhaustion Crisis	Critical AWS VPC CNI IP address exhaustion detected. This pattern indicates cascading failureswhere subnet IP exhaustion leads to ENI allocation failures, pod scheduling failures, andcomplete service unavailability. The failure sequence shows IP allocation errors, ENI attachmentfailures, and resulting pod startup failures that affect cluster scalability and workload deployment.	Networking Problems	aws-vpc-cni	AWS VPC CNI Kubernetes Networking IP Exhaustion ENI Allocation Pod Scheduling Cluster Scaling High Availability Service Unavailability