SNATing for pod IP space to be done only when leaving a private network #44

k10a · 2018-03-02T02:19:58Z

Pods in a VPC can talk to:

Internet
Pods or Instances in another VPC that is connected with a VPC peering connection.
Instances or pods in other AWS accounts, but the VPCs involved are part of the same network space and are reachable to each other eg: using architecture like transit-vpc
Resources on prem directly reachable using a private IP space using aws components like Direct Connect Gateway.

SNATing should not be done in cases 2-4.
What IP space should involve NATing should be configurable instead of defaulting to VPC CIDR

Line 99 in eb8fc86

    
           natCmd := []string{"!", "-d", vpcCIDR.String(), "-m", "comment", "--comment", "AWS, SNAT",

incognick · 2018-03-30T14:14:36Z

Is this being addressed? Currently in the EKS preview I cannot access Pods through a VPC peering connection that are assigned secondary IPs.

liwenwu-amazon · 2018-06-28T20:58:35Z

this should be addressed by PR #81

incognick · 2018-09-19T18:12:43Z

@liwenwu-amazon ~~This is still an issue. I have updated to the latest CNI~~ Will use the environment var - AWS_VPC_K8S_CNI_EXTERNALSNAT

lbernail mentioned this issue Mar 29, 2018

Routing Issue Outside VPC #53

Closed

liwenwu-amazon added this to the v1.1 milestone Jun 22, 2018

liwenwu-amazon closed this as completed Jun 28, 2018

chiplux mentioned this issue Apr 1, 2022

Change Image Name on yaml manifest based on the version (vpc-cni v1.8.0) #1947

Closed

Provide feedback