eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard

Published 20 hours ago verified publisher icon eksctl-io

Support disabling src/dst checks on Worker Nodes.

Open Buffer0x7cd opened this issue 4 years ago • 5 comments

Relevant Issue: https://github.com/cilium/cilium/issues/14243

Why do you want this feature? Hey everyone, While using 3rd party networking plugins, It's required to Disable SRC/DST Check on all of the worker nodes. One such use case is using DSR for node port traffic (more info available here https://github.com/cilium/cilium/issues/13600). While the above solution worked, Internally in our team we had a discussion on how to disable this consistently across Worker node instances as AWS does not have an API to enable/disable SRC/DST check on a group of ENIs(For example a parameter in ASAG or Launch template that lets the user configure this property ) (src/dst API is only limited to operate on a single ENI). In Cilium Specific case the team is planning to add this feature in the Cilium operator, But this seems like a general problem that have use cases outside of Cilium

What feature/behavior/change do you want? It would be really great if we can expose this as a parameter in eksctl, which will then responsible for making sure that all workers have the SRC/DST check disabled. Although this might require changes from the AWS API (For ASG or Launch Teamplate resource).

There might be a better solution to handle this, So I would like to hear the feedback from the community regarding the above points.

Buffer0x7cd avatar Dec 02 '20 14:12 Buffer0x7cd

This concerning primary ENI, which I believe is controlled via CloudFormation, or at least it should be possible to control it (it's been a while since I've seen the code last time).

errordeveloper avatar Dec 02 '20 14:12 errordeveloper

Cilium installation instructions for EKS.

errordeveloper avatar Dec 02 '20 14:12 errordeveloper

After discussing in slack: It seems this setting, while exposed by the EC2::Instance Cloudformation resource, isn't exposed through the AutoScaling::AutoScalingGroup or the EC2::LaunchTemplate NetworkInterface resources.

michaelbeaumont avatar Dec 03 '20 16:12 michaelbeaumont

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jan 18 '21 14:01 github-actions[bot]

need to check if the blocking feature is out

Himangini avatar Oct 13 '21 13:10 Himangini