Cloud Native Lou presentation October
- k8s SIG Network update
- Ingres-nginx CVE discussion
- k8s and networking book review
- AWS Container and Networking
7. Ingress-nginx CVE202125742
● Disable config snippets
● Multitenant environments where non-admin users have permissions to
create Ingress objects are most affected by this issue.
● Secrets can be accessed by malicious config snippet
Set allow-snippet-annotations to false in your ingress-nginx
https://github.com/kubernetes/ingress-nginx/issues/7837
12. EKS Anywhere
● Run on-prem, laptop, vSphere
● EKS Connector
● Demo -
https://aws.amazon.com/blogs/containers/introducing-general-ava
ilability-of-amazon-eks-anywhere/
● More Info - https://aws.amazon.com/eks/eks-anywhere/
https://aws.amazon.com/eks/eks-anywhere/
13. Network Review – Customer-Managed VPC
VPC 192.168.0.0/16
Availability Zone
Availability Zone Availability Zone
Public subnet
Public subnet Public subnet
Private subnet
Private subnet Private subnet
NAT gateway
Security group
Internet gateway
EKS Control Plane
14. Network Review – Customer-Managed VPC
AWS NETWORK REVIEW
VPC 192.168.0.0/16
Availability Zone
Availability Zone Availability Zone
Public subnet
Public subnet Public subnet
Private subnet
Private subnet Private subnet
Node group
NAT gateway Internet gateway
Security group
EKS Control Plane
Node group
EKS Control Plane
18. CNI IPAMD
Amazon VPC CNI Components
AMAZON VPC CNI
+
• Configures the ENI
IPAM daemon responsible for:
• Responsible for pod’s
networking stack
• Pool of IP Addresses
• Assigning out IP Address
20. AWS VPC CNI Configuration Variables
AMAZON VPC CNI
AWS VPC CNI NODE PORT SUPPORT
Node port support on worker nodes
1
AWS VPC K8S CNI CUSTOM NETWORK CFG
Security group creation per pod
2
AWS VPC ENI MTU
MTU setting
3
AWS VPC K8S CNI EXTERNAL SNAT
Specifies whether an external NAT gateway
should be used to provide SNAT of
secondary ENI IP addresses
4
WARM ENI TARGET
Number of ENI IP address to keep ready
5
AWS VPC K8S CNI EXCLUDE SNAT CIDRS
Exclude CIDIRs from SNAT
6
22. EKS Communication
AWS EKS CLUSTER
EKS Managed VPC
Customer VPC
Node group
ENI
EKS Control Plane
Kubectl
Application
User
EKS Control
Application
Admin
23. EKS Networking Mode - Public Endpoint Only
AWS EKS CLUSTER
EKS Managed VPC
Kubectl
Availability Zone 1
Customer VPC
AZ 1
Kubelet
Kube-proxy
Kubelet
Kube-proxy
EKS Control Plane
EKS Owned
ENI
24. EKS Networking Mode – Public and Private Endpoint Only
AWS EKS CLUSTER
Customer VPC
AZ 1
Kubelet
Kube-proxy
Kubelet
Kube-proxy
Private Hosted Zone
56d02fd4cb4ef6f7.eks.
amazonaws.com
Kubectl
EKS Managed VPC
Availability Zone 1
EKS Control Plane
EKS Owned
ENI
25. EKS Networking Mode – Private Endpoint Only
AWS EKS CLUSTER
EKS Managed VPC
Customer VPC
AZ 1
Kubelet
Kube-proxy
Kubelet
Kube-proxy
56d02fd4cb4ef6f7.eks.
amazonaws.com
kubectl
Availability Zone 1
EKS Control Plane
EKS Owned
ENI
26. VPC Subnet Considerations
AWS EKS CLUSTER
Public Only
Using only public subnets.
Nodes and ingress
resources, load balancers,
are deployed in the same
public subnets.
1
Private Only
Using only private subnets.
Nodes are instantiated in
private subnets.
2
Public and Private
Using public and private
subnets. Nodes are deployed
in the private subnets and
ingress resources (like load
balancers) are instantiated in
the public subnets.
3
27. AWS ALB Ingress Controller
AWS ALB AND ALB INGRESS CONTROLLER LAB
AWS Resources
K8 Cluster
Ping Data Admin
Node Node Node
Ping Pod 1
Admin Pod 2
Data Pod 3
NP NP
NP NP
Data Pod 3
ALB
Controller
NP
Ping Pod 1
Admin Pod 3
Data Pod 3
NP
API Server
NP
1
2
3
4
5
30040
192.168.1.7