-
Notifications
You must be signed in to change notification settings - Fork 748
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subnet discovery enhancements to skip node primary ENI and support secondary ENI security groups #3067
Comments
Its really important to have this frature.
|
Thanks for the feedback
Do you need this because you run multiple clusters per VPC? How important is this feature. Would a single cluster name tag be enough? Meaning would have you specific pod subnets designated for a specific cluster. Vs needing to mix and match within a VPC.
The discovery of the subnets happens, only if we need to create an allocate a ENI, that will be when the ip address is exhaustion, or more IPs are requested for warm pool. If a new subnet is tagged while node is running, that would be discovered next time VPC CNI needs to allocate an ENI. |
I suppose we should be good at this moment even without cluster tag, all non-routable for every cluster in vpc can use same non-routable subnets. we can go with mix-match within vpc.
We need this functionality on update to SG either through auto-instance refresh else new rules added through additional security group will not be picked up by the pods |
@mikestef9 This proposed solution will work for us. This is a crucial issue that needs to be addressed urgently. We need the ability to provision smaller VPCs and expand them over time. Creating large CIDR VPCs can lead to wasted IP addresses. |
Happy to hear your comment on the implementation in #3121 over tagging the subnet for skipping the primary. |
What would you like to be added:
Enhanced subnet discovery (launch blog) provides an improved UX compared to "custom networking", but doesn't yet support all of the capabilities of custom networking, notably, ability to run pods in separate subnets from nodes, and attach separate security group(s) to the pods running on secondary ENIs in alternate subnets.
To run pods only in secondary subnets and not primary node subnet:
Support tag key/value of
kubernetes.io/role/cni=0
which would instruct VPC CNI to skip using that subnet for pods. Users could tag node subnets with this key/value pair. In this case, the value of the tag key (1 vs 0) now matters with enhanced subnet discovery.To apply alternate security groups to pods running in secondary subnets:
Support tag key/value of
kubernetes.io/role/cni=1
on security groups in the VPC. The VPC CNI would discover these security groups at startup, and these would only be applied to ENIs launched in secondary subnets discovered using the subnet discovery feature.Why is this needed:
To support the use case of pods and nodes running in separate subnets that is possible with custom networking, but with the improved UX of subnet discovery.
The text was updated successfully, but these errors were encountered: