The EKS CNI (Container Network Interface) plugin fails to initialize on worker nodes, preventing pods from getting IP addresses and cluster nodes from becoming ready. This typically results from incompatible add-on versions, missing IAM permissions, network connectivity issues, or incorrect network configuration.
AWS EKS uses the Amazon VPC CNI plugin to assign IP addresses from your VPC to Kubernetes pods. This plugin runs as a DaemonSet (aws-node) on every worker node. When the CNI plugin fails to initialize, the kubelet cannot configure networking for containers, leaving nodes in NotReady status and preventing any pods from running. The error manifests when the plugin cannot load its configuration, reach the AWS API to allocate IP addresses, or when the add-on version does not match your Kubernetes cluster version. This is a fundamental networking issue that blocks cluster operations.
First, verify that your VPC CNI add-on version matches your Kubernetes cluster version. Go to the AWS Management Console and check the installed add-ons:
# Check installed EKS add-ons via CLI
aws eks describe-addon --cluster-name <cluster-name> --addon-name vpc-cniEnsure the add-on version is compatible. If updating the add-on, use the conflict resolution method "Override" to force the update:
The worker node IAM role must include the AmazonEKS_CNI_Policy. Attach this managed policy if missing:
# Get the node IAM role
NODE_IAM_ROLE=$(aws ec2 describe-instances --instance-ids <instance-id> --query 'Reservations[0].Instances[0].IamInstanceProfile.Arn' --output text | cut -d'/' -f2)
# Attach the CNI policy
aws iam attach-role-policy --role-name $NODE_IAM_ROLE --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_PolicyIf you created the cluster with Terraform or CloudFormation, ensure the node IAM role includes this policy in the configuration.
Worker nodes must reach both the EKS API server endpoint and the EC2 API endpoint. SSH into a node and verify connectivity:
# SSH into the worker node (requires EC2 permissions)
ssh -i <key-pair> ec2-user@<node-ip>
# Test connectivity to EKS API server
curl -I https://<cluster-api-endpoint>:443
# Test connectivity to EC2 API
curl -I https://ec2.amazonaws.com/
# Check security groups allow outbound 443
aws ec2 describe-security-groups --group-ids <sg-id>Ensure your network ACLs and security groups allow outbound HTTPS (port 443) traffic.
Check if the CNI plugin configuration is properly loaded on the worker node:
# SSH into the worker node
ssh -i <key-pair> ec2-user@<node-ip>
# Check if CNI config directory exists and has files
ls -la /etc/cni/net.d/
# Check aws-node pod logs for errors
kubectl logs -n kube-system -l k8s-app=aws-node --tail=100
# Check plugin logs for IP assignment errors
sudo cat /var/log/aws-routed-eni/ipamd.log | tail -50
sudo cat /var/log/aws-routed-eni/plugin.log | tail -50If logs show "Failed to reach IMDS" or "Failed to reach API", it indicates network access issues.
EKS CNI allocates secondary IP addresses from your subnet. Verify you have enough available IPs:
# Check available IPs in subnet
aws ec2 describe-subnets --subnet-ids <subnet-id> --query 'Subnets[0].AvailableIpAddressCount'
# Calculate required IPs: (number of ENIs per node) * (secondary IPs per ENI - 1)
# Each node typically needs 10-100+ available IPs depending on pod densityIf IP space is exhausted, either:
- Add additional subnets to your EKS cluster
- Use prefix delegation to allocate entire /28 blocks instead of individual IPs
- Increase your VPC CIDR block and add new subnets
If your worker nodes use a custom EC2 launch template, verify it does not override kubelet networking configuration:
# Check the user data script in your launch template
aws ec2 describe-launch-template-versions --launch-template-id <template-id> --versions AllThe user data must not:
- Set --cni-bin-dir or --cni-conf-dir flags
- Start kubelet before the CNI plugin is ready
- Remove or modify /etc/cni/net.d/ files
If the launch template is causing issues, consider removing it and letting AWS use the default configuration. Then replace affected nodes:
Once you've addressed the root cause, drain and terminate the problematic nodes so new ones can join with the corrected configuration:
# Drain the node to evict all pods
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data
# Terminate the node (if using Auto Scaling Group)
aws autoscaling terminate-instance-in-auto-scaling-group --instance-id <instance-id> --should-decrement-desired-capacity
# The ASG will automatically launch a replacement node
# Wait for it to join and become Ready
kubectl get nodes -wVerify the new node successfully initialized CNI:
On Bottlerocket OS, the CNI plugin location differs from standard AMIs; ensure you use Bottlerocket-specific configuration. If you upgraded your EKS cluster, the VPC CNI add-on may need manual updating with "Override" conflict resolution. For Windows nodes, the Windows VPC CNI has different initialization; only one ENI is supported per node. If using Karpenter for auto-scaling, ensure nodes are provisioned with the correct subnet configuration before launch templates interfere. For debugging IPAM (IP address management), check /var/log/aws-routed-eni/ipamd.log which logs every IP allocation attempt. Prefix delegation mode (WARM_IP_TARGET and WARM_PREFIX_TARGET) can reduce latency for pod startup; configure via env vars in aws-node DaemonSet if your workload starts many pods rapidly. SELinux and AppArmor on worker nodes can block plugin execution; if hardening is required, coordinate with security team on exceptions. The aws-node pod requires host network access; never add NetworkPolicies blocking kube-system namespace.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm