POD_SECURITY_GROUP_ENFORCING_MODE not avaialble in the configuration values of the VPC CNI

Question

POD_SECURITY_GROUP_ENFORCING_MODE not avaialble in the configuration values of the VPC CNI

haofeif opened this issue a year ago · 5 comments

What would you like to be added:
Add POD_SECURITY_GROUP_ENFORCING_MODE to the configuration value as quoted in the code

Why is this needed:

If customers would like to use Network Policy together with Security Group for Pods, it needs to change the parameters of VPC CNI according to AWS documentation

If you're using version 1.10 or earlier of the Amazon VPC CNI plugin, or version 1.11 with POD_SECURITY_GROUP_ENFORCING_MODE=strict, which is the default setting, then Kubernetes services of type NodePort and LoadBalancer using instance targets with an externalTrafficPolicy set to Local aren't supported with Pods that you assign security groups to. For more information about using a load balancer with instance targets, see Network load balancing on Amazon EKS. If you're using version 1.11 or later of the plugin with POD_SECURITY_GROUP_ENFORCING_MODE=standard, then instance targets with an externalTrafficPolicy set to Local are supported.

Answer 1 · 2023-07-26T15:07:42.000Z

@haofeif sorry, I do not understand the request here. POD_SECURITY_GROUP_ENFORCING_MODE is already configurable as an environment variable. You can set it in the helm chart or add it to the manifest you are using

Answer 2 · 2023-07-27T01:33:57.000Z

Hi @jdn5126 . The use case is we are leveraging the AWS Managed VPC CNI, and we would like to use Terraform to put in "configuration values" in the terraform document

In short, we would like to get the POD_SECURITY_GROUP_ENFORCING_MODE into the configuration_value, instead of changing the helm chart if this makes sense.

Below is just an example of using aws_eks_addon, but we are leveraging the configuration_values

resource "aws_eks_addon" "example" {
  cluster_name                = "mycluster"
  addon_name                  = "coredns"
  addon_version               = "v1.10.1-eksbuild.1"
  resolve_conflicts_on_create = "OVERWRITE"

  configuration_values = jsonencode({
    replicaCount = 4
    resources = {
      limits = {
        cpu    = "100m"
        memory = "150Mi"
      }
      requests = {
        cpu    = "100m"
        memory = "150Mi"
      }
    }
  })
}

Answer 3 · 2023-07-27T13:21:26.000Z

POD_SECURITY_GROUP_ENFORCING_MODE is only configurable via the managed addon in VPC CNI v1.12.1+. You can see the configurable schema with:

aws eks describe-addon-configuration --addon-name vpc-cni --addon-version v1.12.1-eksbuild.1 | jq -r .configurationSchema | jq .

Answer 4 · 2023-07-28T20:58:59.000Z

Closing this as it is not an issue

Answer 5 · 2023-07-28T20:59:19.000Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.