CV and personal site of Andy Hunt
Posted: Monday 17 May 2021 @ 14:14:20
Amazon Elastic Kubernetes Service is AWS' managed Kubernetes service offering, and it goes a long way to simplifying the usage and maintenance of Kubernetes clusters. It's very good and easy to get started with, but it has one easy-to-miss issue: it doesn't have a Container Networking Interface plugin installed out of the box.
A Container Networking Interface (or CNI) plugin is an implementation of the Container Network Interface standard
CNI (Container Network Interface), a Cloud Native Computing Foundation project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.
In Kubernetes land, CNI plugins are responsible for implementing NetworkPolicy objects. Network policies are used to enforce rules about what traffic can flow to and from pods in a namespace; such as restricting ingress to the pods of an internal micro-service to those that make up a frontend service.
I learned through trial and error that Kubernetes will accept valid NetworkPolicy objects via the API when there isn't a CNI plugin installed. It will take them in, say they're created, and silently nothing will happen with them. Whatever policies you've written, no matter how simple, will not be enforced.
I found the simplest solution was to install Project Calico and its CNI plugin for AWS EKS. It was the simplest solution because Amazon provides reasonably good documentation on how to install it. It more or less boils down to running the following two commands:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yaml
If your cluster is in a Chinese region, it's a bit more complicated than that though. See the docs.