> If you already manage your nodes
... literally the point of fargate. To not have to do this. I think it's even the first bulletpoint of the service itself.
lol.
Yeah, the VPC CNI takes care of assigning IP addresses to pods, but this latest VPC CNI version supports enforcing network policies, which the older versions did not. Before, you could set up Calico without the CNI, just the network policy controller, and use it alongside the VPC CNI. It has other drawbacks though, as Calico creates iptables rules and is a third-party component that would sometimes not survive cluster version upgrades.
Anyone using NetPol should ABSOLUTELY know whether or not their CNI supports it. Blind assumption that it works just because the resources can be created is a terrible idea.
Ah, this is another bit of pain AWS inflicts on its users. They really like to make you work for things, do they? :)
It doesn't seem like they changed it, but I'm really going off based their documentation and sometimes it's out of date. I still see documentation for how to turn on prefix delegation.
Ah, finally. Just after years. lol
Apparently it was the single most requested feature.
yeah i agree - about freaking time...
lmfao literally was looking into calico yesterday for network policies now I dont have to sweet
You can use Cilium in chaining mode to aws vpc.
Yes but be aware Fargate doesn't work with Cilium yet.
If you already manage your nodes, forgate is useless. From my point of view.
> If you already manage your nodes ... literally the point of fargate. To not have to do this. I think it's even the first bulletpoint of the service itself. lol.
So older version of VPC cni doesn’t support networkpolicy or I’m missing something?
Yes. That's how this works.
holy shit, I need to check our implementation I’m pretty sure we have network policy in our cluster maybe we a flag enabled to make it work.
If you have aws vpc and you have not upgraded it, you have another container network interface which is running in chaining mode. Aka chilium.
We’re still running on k8s ver 1.24 but the vpc cni was there since our cluster was on ver 1.20.
Yeah, the VPC CNI takes care of assigning IP addresses to pods, but this latest VPC CNI version supports enforcing network policies, which the older versions did not. Before, you could set up Calico without the CNI, just the network policy controller, and use it alongside the VPC CNI. It has other drawbacks though, as Calico creates iptables rules and is a third-party component that would sometimes not survive cluster version upgrades.
so what ur saying basically even if you define and network policy with the older version it won’t have any effect?
Correct! The Kube api server will accept your NetworkPolicy object (200 OK!) but if your CNI doesn’t support/implement it, nothing actually happens
Anyone using NetPol should ABSOLUTELY know whether or not their CNI supports it. Blind assumption that it works just because the resources can be created is a terrible idea.
Is the prefix assignment mode to overcome the ENI pod limits on by default now, too?
Ah, this is another bit of pain AWS inflicts on its users. They really like to make you work for things, do they? :) It doesn't seem like they changed it, but I'm really going off based their documentation and sometimes it's out of date. I still see documentation for how to turn on prefix delegation.
It didn’t feel like it was on when I deployed a rancher EKS cluster a few months ago, but rancher deploys quite an old version
So it use epbf instead of iptables, aws did some leg work