Telegraf daemonset pods cannot access node using inputs.kube_inventory

This worked previously, but now all of our pods in the daemonset generate these errors:
2019-12-20T19:45:00Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/api/v1/pods: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:00Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/apis/extensions/v1beta1/ingresses: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:00Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/apis/apps/v1/daemonsets: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:00Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/api/v1/services: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:00Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/api/v1/endpoints: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:10Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429821-vmss000001/api/v1/persistentvolumeclaims: dial tcp 10.0.128.35:80: connect: connection refused
2019-12-20T19:45:10Z E! [inputs.kube_inventory] Error in plugin: performing request: Get http://aks-agentpool-15429812-vmss000001/apis/apps/v1/statefulsets: dial tcp 10.0.128.35:80: connect: connection refused

Nothing in our configuration has changed, but I verified that the volume mounts for certs and tokens are correct and insecure-skip-verify is set.

I do see these messages in the node’s syslog:
Dec 20 19:47:50 aks-agentpool-15429821-vmss000001 kernel: [ 325.649352] audit: type=1400 audit(1576871270.021:42): apparmor=“DENIED” operation=“ptrace” profile=“docker-default” pid=5307 comm=“telegraf” requested_mask=“trace” denied_mask=“trace” peer=“unconfined”

This makes it look like apparmor is denying the connection, which is weird because the default docker apparmor profile has trace allowed:
‘# suppress ptrace denials when using ‘docker ps’ or using ‘ps’ inside a container
ptrace (rw,readby,tracedby,trace,read) peer=docker-default,’

For reference, the inputs.kubernetes is working fine and refers to the same token:
[[inputs.kubernetes]]
url = “http://:10255$HOSTNAME
bearer_token = “/var/run/secrets/kubernetes.io/serviceaccount/token”
insecure_skip_verify = true
[[inputs.mem]]
[[inputs.processes]]
[[inputs.swap]]
[[inputs.system]]
[[inputs.net]]
[[inputs.kube_inventory]]
url = “https://$HOSTNAME
bearer_token = “/var/run/secrets/kubernetes.io/serviceaccount/token”
insecure_skip_verify = true
namespace = “”

Anyone have any ideas?

Hoping someone can reply now that the holidays are over?