ENI tagging - SG for PODs #333
Comments
nicoaws
added
enhancement
|
This would need a knob. We can get pod name and ns and derive replica set name. Any custom tag should be passed thru the env and this will be cluster level config. |
jayanthvn
added
help wanted
|
Can custom tags not be passed via annotations? The idea is that certain pods should have ENIs tagged in some way and other pods in another way. |
|
@nicoaws is the goal to place pods with certain annotations/labels behind ENIs with certain tags? |
|
no the goal is to be able to tag pod ENIs by using annotations |
Ok, so you are asking about tagging the branch ENIs that are used for pods with security groups, correct? As normal ENIs can have additional tags added by setting the |
|
exactly! |
|
Since branch ENIs are created by the VPC Resource Controller, the tagging would have to happen there. I will transfer this issue to that repo |
The branch ENI assigned for pods is created with subnet and security group, thus VPC ID/Subnet ID/Security Group ID are available for every branch interface. I am not sure if your use cases with AWS Network Firewall have to use interfaces' tag and also how tagging with those info could help in general. Customized tagging could be a bit challenging since this EKS managed service is currently not taking customized configurations yet. Please create an issue at the roadmap if you think this is a feature could help and should be supported by AWS EKS. Thanks |
|
… On Sat, 18 Nov 2023 at 07:11, Hao Zhou ***@***.***> wrote:
VPC ID
subnet ID
Security Group ID
The branch ENI assigned for pods is created with subnet and security
group, thus VPC ID/Subnet ID/Security Group ID are available for every
branch interface. I am not sure if your use cases with AWS Network Firewall
have to use interfaces' tag and also how tagging with those info could help
in general.
Customized tagging could be a bit challenging since this EKS managed
service is currently not taking customized configurations yet. Please
create an issue at the roadmap <https://github.com/aws/containers-roadmap>
if you think this is a feature could help and should be supported by AWS
EKS. Thanks
—
Reply to this email directly, view it on GitHub
<#333 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACLRAKI7OV5SL3WRONGI3CLYFBNTXAVCNFSM6AAAAAA7P7ZXFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJXGQYTSOJVGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
We also need a way to pass custom tags to ENI. The requirement is to tag all resources with specific tags for compliance purposes. |
When using SG for PODS, an ENI gets attached to each POD.
AWS Network Firewall supports tag-based filtering with ENIs as resources.
This request is to enable ENI tagging by the VPC CNI by the use of annotations so that AWS Network Firewall can leverage those to filter traffic.
Tags could be things like:
The text was updated successfully, but these errors were encountered: