containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard
verified publisher icon aws

[EKS/VPC CNI Add-on/Auto Mode] [request]: EKS Add-on to check if Auto Mode is enabled before deleting Policyendpoints CRD

Open david-a-aws opened this issue 4 months ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request I would like the EKS managed add-on to verify if Auto Mode is enabled, before deleting the policyendpoints.networking.k8s.aws CRD when deleting the VPC CNI add-on.

When you delete the VPC CNI add-on, it deletes all related resources including the daemonset, clusterrole, etc. AND the CRD.

With EKS Auto mode, customers can use Network Policies, which relies on the policyendpoints CRD.

This causes an issue where someone would expect this (deleting the VPC CNI add-on) to not affect the Network Policy configuration, but it won't work without the policyendpoints CRD

Which service(s) is this request for? EKS / Auto Mode

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Example replication:

  1. Create EKS cluster with auto mode enabled
  2. Create the VPC CNI add-on
  3. Delete the VPC CNI add-on
  4. Try to use EKS auto mode network policy following the documentation
  5. Observe that it won't work, since policyendpoints CRD is removed.

Are you currently working around this issue? A) Create the CRD manually. B) Re-create the VPC CNI add-on -> delete it with preserve on cluster enabled -> delete the additional resources that are not required such as the daemonset, etc.

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

david-a-aws avatar Aug 08 '25 01:08 david-a-aws

Please check out this PR which has been merged and will be available soon. The change will ensure PolicyEndpoint CRD availability in EKS managed clusters including Auto mode. We can provide an update when the change has been released to all clusters. Thanks

haouc avatar Aug 08 '25 02:08 haouc