Name: amazon-vpc-cni-k8s
Author: aws

Primary Use Case

This tool is used to provide native AWS VPC networking capabilities to Kubernetes pods, allowing each pod to have its own IP address from the VPC. It is primarily used by Kubernetes cluster administrators running workloads on AWS to optimize network performance, IP address management, and security within their clusters.

Key Features

Integrates Kubernetes pod networking with AWS Elastic Network Interfaces (ENIs)

Includes a CNI plugin to configure pod network stack

Node-local IP Address Management daemon (ipamd) for IP allocation and warm-pool maintenance

Supports configuration via Kubernetes manifests and Helm charts

Provides IAM policy requirements for secure AWS API interactions

Automated testing with nightly CI workflows

Supports customization of kubelet network plugin settings and max pods per node

Detailed troubleshooting and best practice documentation

Insights & Recommendations

It is recommended to set the kubelet --max-pods parameter based on the instance type's ENI and IP address limits to avoid pod scheduling failures. Proper IAM policies must be configured to allow the plugin to interact with AWS APIs securely. Users should refer to the troubleshooting guide and AWS EKS best practices for networking to optimize deployment and resolve issues.

Installation

Download the latest aws-k8s-cni.yaml from the config directory
Apply the manifest to the Kubernetes cluster using: kubectl apply -f aws-k8s-cni.yaml
Launch kubelet with network plugins set to cni (--network-plugin=cni)
Configure kubelet with CNI directories (--cni-config-dir and --cni-bin-dir)
Set kubelet node IP to the primary IPv4 address of the primary ENI (--node-ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4))
Optionally set kubelet --max-pods according to ENI and IP limits for the instance type
Alternatively, install using the Helm chart eks/aws-vpc-cni

Usage

kubectl apply -f aws-k8s-cni.yaml

Deploys the AWS VPC CNI plugin to the Kubernetes cluster.

make

Builds the Linux binaries for the CNI plugin.

make docker

Builds a Docker container image containing the compiled binaries.

make docker-unit-tests

Runs unit tests inside a Docker container.

Launch kubelet with --network-plugin=cni --cni-config-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --node-ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)

Configures kubelet to use the AWS VPC CNI plugin with appropriate network and IP settings.

Smart Usage Notes

Leverage the plugin to segment Kubernetes pod networks by assigning unique ENI IPs, reducing lateral movement risk.Integrate with AWS IAM policies to automate least privilege access for network operations, enhancing security automation.Use the IP address warm-pool management feature to optimize network resource allocation and prevent IP exhaustion attacks.Combine with Kubernetes Network Policies for layered firewall management and improved network monitoring visibility.Incorporate into CI/CD pipelines to automate security configuration validation and ensure consistent network security posture.

OpenSec Atlas

amazon-vpc-cni-k8s

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like