Overview
Overview This article resolves 401 Unauthorized probe failures specifically caused by a mismatch between the Kubernetes Service Account attestation values and the dynamic pod names generated by the Kubernetes deployment.
Relates To
Deployment: Kubernetes (Amazon EKS, GKE, Azure EKS, K8s Self-Hosted)
Component:
aembit-agent-controllerPort: 443 (Management/Health Port)
Cause
The Agent Controller fails attestation (resulting in a 401 probe failure) because the Trust Provider configuration is looking for an exact pod name match, but Kubernetes appends a dynamic hash (e.g., -d884df854-k2ztp) to the pod name upon deployment.
Solution:
Append Wildcard to Pod Name To ensure the Trust Provider correctly identifies the Controller pods regardless of the dynamic suffix, you must append a wildcard (*) to the pod name value.
Navigate to your Trust Provider settings in the Aembit UI.
Locate the field:
kubernetes.io { pod { name } }.Modify the value to include a trailing wildcard.
Incorrect:
aembit-agent-controllerCorrect:
aembit-agent-controller-*
Save the configuration and perform a Restart of the failing pod
kubectl delete pod <AGENT-CONTROLLER-POD-NAME> -n aembitROSA / OpenShift:
oc delete pod <AGENT-CONTROLLER-POD-NAME> -n aembit