Implementing network policies in EKS with VPC CNI plugins
TypeScriptTo implement network policies in Amazon EKS with VPC CNI plugins, we need to do the following steps:
-
Create an EKS Cluster: Start by setting up an EKS cluster, which is a managed Kubernetes service that simplifies the process of running Kubernetes on AWS.
-
Configure VPC CNI plugin: The VPC CNI plugin is Amazon’s networking plugin that assigns an elastic network interface (ENI) to each Kubernetes pod for direct VPC networking. Configuring it involves setting properties for the plugin like image, log level, enable IPv6 support, and others.
-
Set Network Policies in EKS: Kubernetes network policies specify how groups of pods are allowed to communicate with each other and with other network endpoints. It's how you enforce rules at the network level within your cluster.
Below is a Pulumi program in TypeScript that demonstrates these steps:
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; import * as eks from "@pulumi/eks"; import * as k8s from "@pulumi/kubernetes"; // Create an EKS cluster. const cluster = new eks.Cluster("my-cluster", { // Specify additional options if needed. }); // At the time of creating the EKS Cluster, we can specify the VPC CNI plugin options. // Here is where you can specify the properties of the VPC CNI plugin, for example: const vpcCni = new eks.VpcCni("my-vpc-cni", { // Associate the cluster's kubeconfig with the VPC CNI to apply the configuration. kubeconfig: cluster.kubeconfig.apply(JSON.stringify), // Enable Prefix Delegation for improved IP address utilization. enablePrefixDelegation: true, // Other VPC CNI configuration ... }, { provider: cluster.provider }); // The above step is critical in EKS for network policies to work correctly. // Assuming the EKS cluster and the VPC CNI plugin are now configured, // we can create Kubernetes network policies to implement the desired network access controls: // For example, here's how to define a simple Network Policy that denies all ingress: const denyAllIngress = new k8s.networking.v1.NetworkPolicy("deny-all-ingress", { metadata: { namespace: "default" }, spec: { podSelector: {}, // Selects all pods in the namespace. policyTypes: ["Ingress"], }, }, { provider: cluster.provider }); // Another, more specific example, allowing traffic to a particular pod from a set of IPs: const allowFromCertainIps = new k8s.networking.v1.NetworkPolicy("allow-from-certain-ips", { metadata: { namespace: "default" }, spec: { podSelector: { matchLabels: { app: "myapp", }, }, ingress: [ { from: [ { ipBlock: { cidr: "192.168.0.0/24" } }, // Add more sources as needed. ], ports: [ { protocol: "TCP", port: 80 }, // Specify additional ports/services here. ], }, ], policyTypes: ["Ingress"], }, }, { provider: cluster.provider }); // Export the cluster's kubeconfig. export const kubeconfig = cluster.kubeconfig;
In this program, we are doing the following:
- Importing the necessary Pulumi libraries for AWS, EKS, and Kubernetes.
- Creating an EKS cluster with default options.
- Configuring the VPC CNI plugin with options like enabling prefix delegation to improve IPAM. This is done alongside the cluster creation.
- Defining Kubernetes network policies:
denyAllIngress
: A default-deny policy that denies all ingress traffic to all pods in the default namespace.allowFromCertainIps
: A policy that allows traffic to pods with the labelapp: myapp
in the default namespace from a specified CIDR range of192.168.0.0/24
on TCP port 80.
The
kubeconfig
of the created cluster is exported at the end so you can use it to interact with your cluster withkubectl
.For more information, you can refer to the following documentation:
Please adjust the network policies to match your specific access control requirements for the
Ensure you have your AWS credentials configured and Pulumi installed to run this program. The policies defined are quite restrictive and should be tailored to allow the specific traffic necessary for your application to function properly.
-