Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support enabling NetworkPolicy enforcement via eksctl cluster config #7770

Open
consideRatio opened this issue May 17, 2024 · 4 comments
Open

Support enabling NetworkPolicy enforcement via eksctl cluster config #7770

consideRatio opened this issue May 17, 2024 · 4 comments
Labels
kind/feature New feature or request priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases

Comments

@consideRatio
Copy link
Contributor

aws-node v1.14.0+ supports NetworkPolicy enforcement according to changelog. I'd love to be able to control enabling this or not via the eksctl configuration.

There is a documented way to enable this both for being a managed addon and for self-managed addons.

I understand that eksctl clusters provide aws-node aka. vpc-cni as a self-managed addon, not listed under addons in the eksctl configuration file, and should therefor follow documentation about enabling it for self-managed addon. I've so far tried and failed, and I'm not sure what goes on - but thats a separate topic to being allowed to enable it via .

Overall though, it would be great to be able to enable NetworkPolicy enforcement directly through the eksctl cluster configuration and not require manual kubectl patches, especially since these will would get replaced if we would use eksctl utils update-aws-node later at some point in time.
@consideRatio
Copy link
Contributor Author

Related

@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Jun 17, 2024
@consideRatio
Copy link
Contributor Author

Stale but very relevant feature request of notable value i think

@cPu1 cPu1 added priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases and removed stale labels Jun 17, 2024
@TiberiuGC TiberiuGC added the kind/feature New feature or request label Jul 18, 2024
This was referenced Aug 22, 2024
Open
Closed
@consideRatio
Copy link
Contributor Author

consideRatio commented Aug 23, 2024
edited
Loading

I think the path forward here is to declare that this won't be supported for the eksctl way of installing a EKS self-managed vpc-cni addon, and instead ask that users transition to installing it under addons so it becomes an EKS managed installation.

Like this, it can (I think, not tested) be configured according to official AWS docs written for eksctl config that has installed it under addons, with a quite trivial change looking like this:

 addons:
   - name: vpc-cni
+    configurationValues: |-
+      enableNetworkPolicy: "true"

Caveats

  1. I've not yet transitioned any EKS cluster I maintain to installing the vpc-cni addon as a EKS managed addon via addons eksctl config yet. I think its sufficient to start listing it there though, and a transition will be made - where one can also declare resolveConflicts: overwrite, but I'm not sure.
  2. I've not yet verified that it works as simple as below once that is done, but I recall it was to be explicitly enabled like this from somewhere: 
     addons:
   - name: vpc-cni
+    configurationValues: |-
+      enableNetworkPolicy: "true"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request priority/important-longterm Important over the long term, but may not be currently staffed and/or may require multiple releases
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@consideRatio @cPu1 @TiberiuGC