Fix EKS Worker Nodes Not Joining the Cluster
Nodes stay missing from `kubectl get nodes`. Walk through aws-auth, IAM, security groups and user-data.
Problem
EC2 instances are running and healthy, but `kubectl get nodes` doesn't show them.
Root cause
- Node IAM role missing from the `aws-auth` ConfigMap.
- Node role lacks AmazonEKSWorkerNodePolicy or AmazonEC2ContainerRegistryReadOnly.
- Security groups don't allow node ↔ control plane traffic on 443.
- User-data bootstrap script never ran (wrong AMI or missing args).
Solution
Patch aws-auth
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::123:role/eks-node-role
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodesVerify on the node
sudo journalctl -u kubelet -n 100 --no-pagerFrequently asked questions
Related fixes
AWS
6 minFix AWS S3 403 Access Denied
A checklist for S3 403 errors — bucket policy, IAM, KMS, Object Ownership and Block Public Access.
#s3#iam#policies
AWS
4 minFix AWS "is not authorized to perform: sts:AssumeRole"
Both sides of an AssumeRole call need to agree — fix the trust policy and the calling principal.
#iam#sts
Weekly digest
One DevOps fix in your inbox each week
Short, practical, no fluff. Real errors, real fixes — straight from production postmortems.