ENI tagging - SG for PODs

[nicoaws]

When using SG for PODS, an ENI gets attached to each POD.

AWS Network Firewall supports tag-based filtering with ENIs as resources.

This request is to enable ENI tagging by the VPC CNI by the use of annotations so that AWS Network Firewall can leverage those to filter traffic.

Tags could be things like:

• namespace
• VPC ID
• subnet ID
• Security Group ID
• custom tags specified by user in annotations

[jayanthvn]

This would need a knob. We can get pod name and ns and derive replica set name. Any custom tag should be passed thru the env and this will be cluster level config.

[nicoaws]

Can custom tags not be passed via annotations? The idea is that certain pods should have ENIs tagged in some way and other pods in another way.

[jdn5126]

@nicoaws is the goal to place pods with certain annotations/labels behind ENIs with certain tags?

[nicoaws]

no the goal is to be able to tag pod ENIs by using annotations

[jdn5126]

no the goal is to be able to tag pod ENIs by using annotations

Ok, so you are asking about tagging the branch ENIs that are used for pods with security groups, correct? As normal ENIs can have additional tags added by setting the ADDITIONAL_ENI_TAGS: https://github.com/aws/amazon-vpc-cni-k8s#additional_eni_tags-v160 environment variable

[nicoaws]

exactly!

[jdn5126]

Since branch ENIs are created by the VPC Resource Controller, the tagging would have to happen there. I will transfer this issue to that repo

[haouc]

VPC ID
subnet ID
Security Group ID

The branch ENI assigned for pods is created with subnet and security group, thus VPC ID/Subnet ID/Security Group ID are available for every branch interface. I am not sure if your use cases with AWS Network Firewall have to use interfaces' tag and also how tagging with those info could help in general.

Customized tagging could be a bit challenging since this EKS managed service is currently not taking customized configurations yet. Please create an issue at the roadmap if you think this is a feature could help and should be supported by AWS EKS. Thanks

[nicoaws]

https://docs.aws.amazon.com/network-firewall/latest/developerguide/resource-groups.html

…

On Sat, 18 Nov 2023 at 07:11, Hao Zhou ***@***.***> wrote: VPC ID subnet ID Security Group ID The branch ENI assigned for pods is created with subnet and security group, thus VPC ID/Subnet ID/Security Group ID are available for every branch interface. I am not sure if your use cases with AWS Network Firewall have to use interfaces' tag and also how tagging with those info could help in general. Customized tagging could be a bit challenging since this EKS managed service is currently not taking customized configurations yet. Please create an issue at the roadmap <https://github.com/aws/containers-roadmap> if you think this is a feature could help and should be supported by AWS EKS. Thanks — Reply to this email directly, view it on GitHub <#333 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACLRAKI7OV5SL3WRONGI3CLYFBNTXAVCNFSM6AAAAAA7P7ZXFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJXGQYTSOJVGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>