aws/amazon-network-policy-controller-k8s

Controller enabled when "enable network policy controller" turned off in configmap

hobaen opened this issue · 1 comments

hobaen commented

Expected:
When deploying the aws network policy controller into a cluster with no existing policy endpoints and the enable-network-policy-controller in aws-vpc-cni configmap set to false, the controller would be disabled and not start creating new policy endpoints.

Observed:
When deploying the aws network policy controller into a cluster with no existing policy endpoints and the enable-network-policy-controller in aws-vpc-cni configmap set to false, the controller is enabled and immediately starts creating policy endpoints based on network policies deployed on the cluster.

Details:
Kubernetes provider: EKS
Kubernetes version: 1.28
network policy controller image tag: v1.0.2
amazon-k8s-cni: v1.15.4-eksbuild.1
Calico currently running as network security policy engine

aws-vpc-cni configmap:

apiVersion: v1
data:
  enable-network-policy-controller: "false"
  enable-windows-ipam: "false"
kind: ConfigMap
metadata:
  name: amazon-vpc-cni
  namespace: kube-system

Controller Logs:

{"level":"info","ts":"2023-12-13T16:33:33Z","msg":"version","GitVersion":"v1.0.2","GitCommit":"7914fba9b03c9e01ce39c6b11bdc5d30129c6f32","BuildDate":"2023-11-03T19:23:15+0000"}
{"level":"info","ts":"2023-12-13T16:33:33Z","logger":"setup","msg":"Network Policy controller is enabled, starting watches"}
{"level":"info","ts":"2023-12-13T16:33:34Z","logger":"setup","msg":"starting controller manager"}
{"level":"info","ts":"2023-12-13T16:33:34Z","logger":"controller-runtime.metrics","msg":"Starting metrics server"}
{"level":"info","ts":"2023-12-13T16:33:34Z","msg":"starting server","kind":"health probe","addr":"[::]:8081"}
{"level":"info","ts":"2023-12-13T16:33:34Z","logger":"controller-runtime.metrics","msg":"Serving metrics server","bindAddress":":8080","secure":false}
I1213 16:33:35.020368       1 leaderelection.go:250] attempting to acquire leader lease kube-system/amazon-network-policy-controller-k8s...
I1213 16:33:53.097726       1 leaderelection.go:260] successfully acquired lease kube-system/amazon-network-policy-controller-k8s
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting EventSource","controller":"policy","source":"kind source: *v1.NetworkPolicy"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting EventSource","controller":"policy","source":"kind source: *v1.Pod"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting EventSource","controller":"policy","source":"kind source: *v1.Namespace"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting EventSource","controller":"policy","source":"kind source: *v1.Service"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting EventSource","controller":"policy","source":"channel source: 0xc00013f5c0"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting Controller","controller":"policy"}
{"level":"info","ts":"2023-12-13T16:33:53Z","msg":"Starting workers","controller":"policy","worker count":3}
hobaen commented

Update: Upon further looking this was because we were using the runtime args in the example provided at https://github.com/aws/amazon-network-policy-controller-k8s/blob/main/config/controller/controller.yaml#L22 that where --enable-configmap-check=false setting this to true resolved the issue.