[EKS] [request]: branch ENI tagging - SG for PODs

[nicoaws]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
When using SG for PODS, an ENI gets attached to each POD.

AWS Network Firewall supports tag-based filtering with ENIs as resources.

This request is to enable ENI tagging by the VPC CNI by the use of annotations so that AWS Network Firewall can leverage those to filter traffic.

Tags could be things like:

namespace
VPC ID
subnet ID
Security Group ID
custom tags specified by user in annotations

Which service(s) is this request for?
This could be EKS with VPC CNI

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Customers would like the ability to create outbound L7 filtering policies based on which pod(s) they are originated from.
i.e. I would like pods from a certain deployment to only be able to do HTTPs towards a specific URL.
Today VPC CNI does not allow that (not in the NetworkPolicy K8s spec. The use of different CNIs (i.e. Cilium) has significant challenges and does not support security-groups per pod.

Are you currently working around this issue?
We are not.

Attachments
Original issue: aws/amazon-vpc-resource-controller-k8s#333