[EKS] [request]: VPC CNI Network Policy support

[mikestef9]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Add native Kubernetes Network Policy support to VPC CNI plugin

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'm looking for the default EKS networking plugin to implement Kubernetes Network Policy, so I can run secure, zero-trust multi-tenant clusters

Are you currently working around this issue? Installing 3rd party plugins on top of VPC CNI plugin. However, certain incompatibilities exist with this approach, such as lack of integration between Calico Network Policy and VPC CNI pod level security groups (ref). This also requires additional management burden, such as keeping up with changing installation methods and lifecycle management for 3rd party plugins.

Additional context Keep an eye on Network Policy v2 upstream discussions

[axkng]

Hi, is there maybe a rough timeline for this?

[mikestef9]

Nothing definitive to share here - but this is being actively developed. One detail worth sharing, tentatively, we are moving to an eBPF based dataplane to enforce Network Policy - so this is a larger development effort than if we decided to use iptables based approach for enforcement.

[stevehipwell]

One detail worth sharing, tentatively, we are moving to an eBPF based dataplane to enforce Network Policy

@mikestef9 I assume that this is a kube-proxy replacement?

Are there any plans to add custom network policies to support cluster scoped use cases (maybe aligned to the proposed AdminNetworkPolicy)?

[mikestef9]

Yes - eventually this will be a kube-proxy replacement.

And for cluster wide network policy - also yes - we won't be building any custom CRDs - but will leverage the AdminNetworkPolicy you linked. That may not be available in first launch - depending on progress of the KEP

[stevehipwell]

@mikestef9 that sounds very interesting.

[axkng]

Thank you for the feedback @mikestef9 . Looking forward to this :)

[Ga13Ou]

Is there an ETA for that to be available?

[rivlinpereira]

Is there any timeline for this to be available?

[jupitermoons]

Is there any timeline for this ? also any minimum eks version for this ?

[mjnovice]

By when can we have it ?

[antoineDievDecath]

Hi @mikestef9, can you gave more informations about the coming soon and minimum configuration this will need ?

[nunoadrego]

I think this is now supported:

• https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.14.0
• https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html

[sjastis]

Yes! Thank you all for your patience. Starting with Amazon VPC CNI version 1.14, you can now use Amazon VPC CNI to implement both pod networking and network policies to secure the traffic in your Kubernetes clusters. Network Policies are implemented using eBPF technology. Check out the launch blog and user guide for getting started details.

Blog - https://aws.amazon.com/blogs/containers/amazon-vpc-cni-now-supports-kubernetes-network-policies/ User Guide - https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html

[sjastis]

Note that, today network policies will be supported on new Amazon EKS clusters. Support for existing clusters is coming soon. Existing clusters, using EKS v1.25+, will be supported once automatic upgrades of platform versions supporting the feature is complete. We will update the user guide with details of the platform version.

[jimmyjones2]

From the linked blog:

Network policy controller configures policies for pods in parallel to pod provisioning, until then new pods will come up with default allow policy. All ingress and egress traffic is allowed to and from the new pods until they are reconciled against the existing policies.

Are there any plans to address this? Or at least some documentation to say what the maximum time is for reconciliation? Or should there be an option for security sensitive users to pause pod lifecycle until the network policies are applied? https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-has-network

[sjastis]

@jimmyjones2 - Thanks for the feedback. We realized this during our development process and are evaluating ways to provide configuration option (say 'strict mode'). Through this option, we can gate pod launch until the network policy agent configures the pod with current set of active rules applicable to the pod based on the network policy resources on the cluster. Another approach is to configure deny all policy for all pods during pod launch flow.

[sjastis]

Amazon VPC CNI Network Policy is now supported on existing EKS clusters using v1.25+. For more details on platform versions, please refer to the user guide - https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html.

[sjastis]

Just an update We released a new enforcing mode in VPC CNI providing an option to gate access until the network policies are applied.

https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#network_policy_enforcing_mode-v1171