Skip to content

List Seperation, Adjustment of name of Addon #1027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jun 10, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 13 additions & 20 deletions latest/ug/networking/cni-network-policy-configure.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ Use the following procedure to enable the network policy parameter for the add-o
. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for.
. Choose the *Add-ons* tab.
. Select the box in the top right of the add-on box and then choose *Edit*.
. On the *Configure [.replaceable]`name of add-on`* page:
. On the *Configure `Amazon VPC CNI`* page:
+
.. Select a `v1.14.0-eksbuild.3` or later version in the *Version* list.
.. Expand the *Optional configuration settings*.
Expand Down Expand Up @@ -173,23 +173,29 @@ sudo mount -t bpf bpffs /sys/fs/bpf
[#cni-network-policy-setup]
== Step 4: Configure your cluster to use Kubernetes network policies

Configure the cluster to use Kubernetes network policies. You can set this for an Amazon EKS add-on or self-managed add-on.
You can set this for an Amazon EKS add-on or self-managed add-on.


[#cni-network-policy-setup-procedure-add-on]
.Amazon EKS add-on
[%collapsible]
====

[#cni-network-policy-setup-console]
[discrete]
=== {aws-management-console}
Using the {aws} CLI, you can configure the cluster to use Kubernetes network policies by running the following command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using.
[source,shell,subs="verbatim,attributes"]
----
aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.14.0-eksbuild.3 \
--service-account-role-arn {arn-aws}iam::123456789012:role/AmazonEKSVPCCNIRole \
--resolve-conflicts PRESERVE --configuration-values '{"enableNetworkPolicy": "true"}'
----

To configure this using the {aws} Management Console, follow the below steps:

. Open the link:eks/home#/clusters[Amazon EKS console,type="console"].
. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for.
. Choose the *Add-ons* tab.
. Select the box in the top right of the add-on box and then choose *Edit*.
. On the *Configure [.replaceable]`name of addon`* page:
. On the *Configure `Amazon VPC CNI`* page:
+
.. Select a `v1.14.0-eksbuild.3` or later version in the *Version* list.
.. Expand the *Optional configuration settings*.
Expand All @@ -204,19 +210,6 @@ The following screenshot shows an example of this scenario.
+
image::images/console-cni-config-network-policy.png[{aws-management-console} showing the VPC CNI add-on with network policy in the optional configuration.,scaledwidth=80%]

[#cni-network-policy-setup-cli]
[discrete]
=== {aws} CLI

. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using.
+
[source,shell,subs="verbatim,attributes"]
----
aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.14.0-eksbuild.3 \
--service-account-role-arn {arn-aws}iam::123456789012:role/AmazonEKSVPCCNIRole \
--resolve-conflicts PRESERVE --configuration-values '{"enableNetworkPolicy": "true"}'
----

====

[#cni-network-policy-setup-procedure-self-managed-add-on]
Expand Down Expand Up @@ -306,4 +299,4 @@ You can now deploy Kubernetes network policies to your cluster.

To implement Kubernetes network policies you create Kubernetes `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between Pods based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the Kubernetes documentation.

Enforcement of Kubernetes `NetworkPolicy` objects is implemented using the Extended Berkeley Packet Filter (eBPF). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, eBPF probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an eBPF-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation].
Enforcement of Kubernetes `NetworkPolicy` objects is implemented using the Extended Berkeley Packet Filter (eBPF). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, eBPF probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an eBPF-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation].
4 changes: 2 additions & 2 deletions latest/ug/networking/network-policies-troubleshooting.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ Network policy logs require an additional 1 vCPU for the `aws-network-policy-age
.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for.
.. Choose the *Add-ons* tab.
.. Select the box in the top right of the add-on box and then choose *Edit*.
.. On the *Configure [.replaceable]`name of addon`* page:
.. On the *Configure [.replaceable]`Amazon VPC CNI`* page:
+
... Select a `v1.14.0-eksbuild.3` or later version in the *Version* dropdown list.
... Expand the *Optional configuration settings*.
Expand Down Expand Up @@ -162,7 +162,7 @@ Only the network policy logs are sent by the node agent. Other logs made by the
.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for.
.. Choose the *Add-ons* tab.
.. Select the box in the top right of the add-on box and then choose *Edit*.
.. On the *Configure [.replaceable]`name of addon`* page:
.. On the *Configure [.replaceable]`Amazon VPC CNI`* page:
+
... Select a `v1.14.0-eksbuild.3` or later version in the *Version* dropdown list.
... Expand the *Optional configuration settings*.
Expand Down