Elaborate on roadmap regarding security groups and load balancers #7
Comments
|
I'm interested in those questions. Regarding security groups - perhaps Calico(was mentioned in the announcement as far as I know) will be enhanced to support amazon-vpc-cni-k8s as the backend instead of other providers like flannel, so that ingress/egress rules of K8S network policies are reflected to security groups assigned to the secondary ENIs? |
|
@mumoshu Yes, Calico and amazon-vpc-cni-k8s will work together to provide ingress/egress rules of K8s network policies. You can think of SGs as providing the underlying cluster (VM oriented) security and Kubernetes network policy providing the fine-grained micro-service (container oriented) security. |
|
@lxpollitt Thank you very much for clarification! Fully understood. Would there be a dedicated github issue to track the progress and remaining tasks for that? |
|
Resolving old issues. |
Fixed issue aws#7 and update ecr image location
# This is the 1st commit message: Add VlanId in the cmdAdd Result struct This VlanId will appear in the prevResult during cmdDel request Test prevResult contents CleanUp Pod Network using vlanId from prevResult in CNI itself No need to call ipamd Log formatting changes Added hostNetworking Setup test for pods using security groups revoke unnecessary test agent image changes Revoke unnecessary changes remove focussed test set replica count to total number of branch interface Fix replica count # This is the commit message aws#2: Updated cleanUpPodENI method # This is the commit message aws#3: Skip processing Delete request if prevResult is nil Add Logging vlanId to ipamd # This is the commit message aws#4: Add support to test with containerd nodegroup in pod-eni test # This is the commit message aws#5: Add check for empty Netns() in cni # This is the commit message aws#6: Manifests and Readme updates (aws#1732) * Manifests and Readme updates * update manifest.jsonnet # This is the commit message aws#7: Readme updates (aws#1735) # This is the commit message aws#8: Updates to troubleshooting doc (aws#1737) * Updates to troubleshooting doc * updates to troubleshooting doc # This is the commit message aws#9: imdsv2 changes (aws#1743) # This is the commit message aws#10: fix flaky canary test (aws#1742) # This is the commit message aws#11: add CODEOWNERS (aws#1747)
Currently the proposal says that a limitation is
Which is at odds with some of the stated goals. I get that this is a point-in-time view of the CNI but I'm curious what the plan is going forward to support this.
Some specific questions:
awsvpcnetworking mode in ECS, which seems to (as far as I've been able to tell) manage ENIs directly and drop their interface directly into the relevant container's network namespace?sg-123456(because let's say that's the only SG allowed to speak to my RDS database), how would I tell k8s that?Not sure if it makes more sense to answer these here or just to add more to the proposal, but those are the questions that jumped to mind when I was reading it.
The text was updated successfully, but these errors were encountered: