---
# Source: aws-vpc-cni/crds/customresourcedefinition.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: eniconfigs.crd.k8s.amazonaws.com
spec:
scope: Cluster
group: crd.k8s.amazonaws.com
preserveUnknownFields: false
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: ENIConfig is the Schema for the eniconfigs API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ENIConfigSpec defines the desired state of ENIConfig
properties:
securityGroups:
items:
type: string
type: array
subnet:
type: string
required:
- subnet
type: object
status:
description: ENIConfigStatus defines the observed state of ENIConfig
type: object
names:
plural: eniconfigs
singular: eniconfig
kind: ENIConfig
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
labels:
app.kubernetes.io/name: amazon-network-policy-controller-k8s
name: policyendpoints.networking.k8s.aws
spec:
group: networking.k8s.aws
names:
kind: PolicyEndpoint
listKind: PolicyEndpointList
plural: policyendpoints
singular: policyendpoint
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyEndpoint is the Schema for the policyendpoints API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicyEndpointSpec defines the desired state of PolicyEndpoint
properties:
egress:
description: Egress is the list of egress rules containing resolved
network addresses
items:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
except:
description: Except is the exceptions to the CIDR ranges mentioned
above.
items:
type: string
type: array
ports:
description: Ports is the list of ports
items:
description: Port contains information about the transport
port/protocol
properties:
endPort:
description: Endport specifies the port range port to
endPort port must be defined and an integer, endPort
> port
format: int32
type: integer
port:
description: Port specifies the numerical port for the
protocol. If empty applies to all ports
format: int32
type: integer
protocol:
default: TCP
description: Protocol specifies the transport protocol,
default TCP
type: string
type: object
type: array
required:
- cidr
type: object
type: array
ingress:
description: Ingress is the list of ingress rules containing resolved
network addresses
items:
description: EndpointInfo defines the network endpoint information
for the policy ingress/egress
properties:
cidr:
description: CIDR is the network address(s) of the endpoint
type: string
except:
description: Except is the exceptions to the CIDR ranges mentioned
above.
items:
type: string
type: array
ports:
description: Ports is the list of ports
items:
description: Port contains information about the transport
port/protocol
properties:
endPort:
description: Endport specifies the port range port to
endPort port must be defined and an integer, endPort
> port
format: int32
type: integer
port:
description: Port specifies the numerical port for the
protocol. If empty applies to all ports
format: int32
type: integer
protocol:
default: TCP
description: Protocol specifies the transport protocol,
default TCP
type: string
type: object
type: array
required:
- cidr
type: object
type: array
podIsolation:
description: PodIsolation specifies whether the pod needs to be isolated
for a particular traffic direction Ingress or Egress, or both. If
default isolation is not specified, and there are no ingress/egress
rules, then the pod is not isolated from the point of view of this
policy. This follows the NetworkPolicy spec.PolicyTypes.
items:
description: PolicyType string describes the NetworkPolicy type
This type is beta-level in 1.8
type: string
type: array
podSelector:
description: PodSelector is the podSelector from the policy resource
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelectorEndpoints:
description: PodSelectorEndpoints contains information about the pods
matching the podSelector
items:
description: PodEndpoint defines the summary information for the
pods
properties:
hostIP:
description: HostIP is the IP address of the host the pod is
currently running on
type: string
name:
description: Name is the pod name
type: string
namespace:
description: Namespace is the pod namespace
type: string
podIP:
description: PodIP is the IP address of the pod
type: string
required:
- hostIP
- name
- namespace
- podIP
type: object
type: array
policyRef:
description: PolicyRef is a reference to the Kubernetes NetworkPolicy
resource.
properties:
name:
description: Name is the name of the Policy
type: string
namespace:
description: Namespace is the namespace of the Policy
type: string
required:
- name
- namespace
type: object
required:
- policyRef
type: object
status:
description: PolicyEndpointStatus defines the observed state of PolicyEndpoint
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
# Source: aws-vpc-cni/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-node
namespace: kube-system
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.19.2"
---
# Source: aws-vpc-cni/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: amazon-vpc-cni
namespace: kube-system
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.19.2"
data:
enable-windows-ipam: "false"
enable-network-policy-controller: "false"
enable-windows-prefix-delegation: "false"
warm-prefix-target: "0"
warm-ip-target: "1"
minimum-ip-target: "3"
branch-eni-cooldown: "60"
---
# Source: aws-vpc-cni/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aws-node
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.19.2"
rules:
- apiGroups:
- crd.k8s.amazonaws.com
resources:
- eniconfigs
verbs: ["list", "watch", "get"]
- apiGroups: [""]
resources:
- namespaces
verbs: ["list", "watch", "get"]
- apiGroups: [""]
resources:
- pods
verbs: ["list", "watch", "get"]
- apiGroups: [""]
resources:
- nodes
verbs: ["list", "watch", "get"]
- apiGroups: ["", "events.k8s.io"]
resources:
- events
verbs: ["create", "patch", "list"]
- apiGroups: ["networking.k8s.aws"]
resources:
- policyendpoints
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.aws"]
resources:
- policyendpoints/status
verbs: ["get"]
- apiGroups:
- vpcresources.k8s.aws
resources:
- cninodes
verbs: ["get", "list", "watch", "patch"]
---
# Source: aws-vpc-cni/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: aws-node
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.19.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-node
subjects:
- kind: ServiceAccount
name: aws-node
namespace: kube-system
---
# Source: aws-vpc-cni/templates/daemonset.yaml
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: aws-node
namespace: kube-system
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
app.kubernetes.io/version: "v1.19.2"
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
type: RollingUpdate
selector:
matchLabels:
k8s-app: aws-node
template:
metadata:
labels:
app.kubernetes.io/name: aws-node
app.kubernetes.io/instance: aws-vpc-cni
k8s-app: aws-node
spec:
priorityClassName: "system-node-critical"
serviceAccountName: aws-node
hostNetwork: true
initContainers:
- name: aws-vpc-cni-init
image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.19.2
imagePullPolicy: Always
env:
- name: DISABLE_TCP_EARLY_DEMUX
value: "false"
- name: ENABLE_IPv6
value: "false"
securityContext:
privileged: true
resources:
requests:
cpu: 25m
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
terminationGracePeriodSeconds: 10
tolerations:
- operator: Exists
securityContext:
{}
containers:
- name: aws-node
image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.19.2
ports:
- containerPort: 61678
name: metrics
livenessProbe:
exec:
command:
- /app/grpc-health-probe
- -addr=:50051
- -connect-timeout=5s
- -rpc-timeout=5s
initialDelaySeconds: 60
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /app/grpc-health-probe
- -addr=:50051
- -connect-timeout=5s
- -rpc-timeout=5s
initialDelaySeconds: 1
timeoutSeconds: 10
env:
- name: ADDITIONAL_ENI_TAGS
value: "{}"
- name: AWS_VPC_CNI_NODE_PORT_SUPPORT
value: "true"
- name: AWS_VPC_ENI_MTU
value: "9001"
- name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG
value: "false"
- name: AWS_VPC_K8S_CNI_EXTERNALSNAT
value: "false"
- name: AWS_VPC_K8S_CNI_LOGLEVEL
value: "DEBUG"
- name: AWS_VPC_K8S_CNI_LOG_FILE
value: "/host/var/log/aws-routed-eni/ipamd.log"
- name: AWS_VPC_K8S_CNI_RANDOMIZESNAT
value: "prng"
- name: AWS_VPC_K8S_CNI_VETHPREFIX
value: "eni"
- name: AWS_VPC_K8S_PLUGIN_LOG_FILE
value: "/var/log/aws-routed-eni/plugin.log"
- name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL
value: "DEBUG"
- name: DISABLE_INTROSPECTION
value: "false"
- name: DISABLE_METRICS
value: "false"
- name: DISABLE_NETWORK_RESOURCE_PROVISIONING
value: "false"
- name: ENABLE_IPv4
value: "true"
- name: ENABLE_IPv6
value: "false"
- name: ENABLE_POD_ENI
value: "false"
- name: ENABLE_PREFIX_DELEGATION
value: "false"
- name: ENABLE_SUBNET_DISCOVERY
value: "true"
- name: NETWORK_POLICY_ENFORCING_MODE
value: "standard"
- name: VPC_CNI_VERSION
value: "v1.19.2"
- name: WARM_ENI_TARGET
value: "1"
- name: WARM_PREFIX_TARGET
value: "1"
- name: MY_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
resources:
requests:
cpu: 25m
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /host/var/log/aws-routed-eni
name: log-dir
- mountPath: /var/run/aws-node
name: run-dir
- mountPath: /run/xtables.lock
name: xtables-lock
- name: aws-eks-nodeagent
image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.1.6
imagePullPolicy: Always
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
args:
- --enable-ipv6=false
- --enable-network-policy=false
- --enable-cloudwatch-logs=false
- --enable-policy-event-logs=false
- --log-file=/var/log/aws-routed-eni/network-policy-agent.log
- --metrics-bind-addr=:8162
- --health-probe-bind-addr=:8163
- --conntrack-cache-cleanup-period=300
resources:
requests:
cpu: 25m
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /sys/fs/bpf
name: bpf-pin-path
- mountPath: /var/log/aws-routed-eni
name: log-dir
- mountPath: /var/run/aws-node
name: run-dir
volumes:
- name: bpf-pin-path
hostPath:
path: /sys/fs/bpf
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
- name: log-dir
hostPath:
path: /var/log/aws-routed-eni
type: DirectoryOrCreate
- name: run-dir
hostPath:
path: /var/run/aws-node
type: DirectoryOrCreate
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- hybrid
- auto