VPC CNI

Definition

The VPC CNI (Virtual Private Cloud Container Network Interface) is a networking plugin for Kubernetes that allows pods to have native AWS VPC networking capabilities. It enables Kubernetes pods to receive IP addresses from the VPC’s CIDR block, allowing them to communicate with other AWS services and resources using the VPC’s networking infrastructure. This integration provides benefits such as improved network performance, security, and scalability by leveraging AWS’s existing networking features.

Secure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-node
  namespace: kube-system
data:
  config.json: |
    {
      "eniConfigLabelDef": "failure-domain.beta.kubernetes.io/zone",
      "warmIpTarget": "5",
      "warmEniTarget": "1",
      "enablePodEni": "true",
      "eniConfigPolicy": "ENIConfigPolicy",
      "disableIntrospection": "true",
      "disablePodENI": "false"
    }

This configuration ensures that the VPC CNI plugin is set to maintain a warm pool of IP addresses and ENIs, enabling efficient scaling and reducing latency. The disableIntrospection is set to true to enhance security by disabling the introspection service.

Insecure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-node
  namespace: kube-system
data:
  config.json: |
    {
      "eniConfigLabelDef": "failure-domain.beta.kubernetes.io/zone",
      "warmIpTarget": "0",
      "warmEniTarget": "0",
      "enablePodEni": "false",
      "disableIntrospection": "false"
    }

In this insecure configuration, both warmIpTarget and warmEniTarget are set to 0, which can lead to delays in IP address allocation during scaling events. Additionally, disableIntrospection is set to false, potentially exposing sensitive metadata about the network configuration.