Pod Security Group

Add policy to cluster IAM role

Linux Windows

ROLE_NAME="<cluster role name>"
REGION="<region code>"

aws iam attach-role-policy \
    --policy-arn arn:aws:iam::aws:policy/AmazonEKSVPCResourceController \
    --role-name $ROLE_NAME \
    --region $REGION

$ROLE_NAME="<cluster role name>"
$REGION="<region code>"

aws iam attach-role-policy `
    --policy-arn arn:aws:iam::aws:policy/AmazonEKSVPCResourceController `
    --role-name $ROLE_NAME `
    --region $REGION

AWS Documentation

Update `aws-node` daemonset environment variable

Warning

Please use this command before starting node groups or fargates.

Linux Windows

kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true

kubectl patch daemonset aws-node \
  -n kube-system \
  -p '{"spec": {"template": {"spec": {"initContainers": [{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}]}}}}'

kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true

kubectl patch daemonset aws-node `
  -n kube-system `
  -p '{"spec": {"template": {"spec": {"initContainers": [{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}]}}}}'

AWS Documentation

Create `SecurityGroupPolicy`

security-group-policy.yaml

apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: <security group policy name>
  namespace: <namespace>
spec:
  podSelector: 
    matchLabels:
      app: nginx # labels
  securityGroups:
    groupIds:
      - sg-abc123   # security groups id

kubectl apply -f security-group-policy.yaml

Pod Security Group

Add policy to cluster IAM role

Update aws-node daemonset environment variable

Create SecurityGroupPolicy

Update `aws-node` daemonset environment variable

Create `SecurityGroupPolicy`