Custom Networking

默认Amazon VPC CNI

By default, when the Amazon VPC CNI plugin for Kubernetes creates secondary elastic network interfaces (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node’s primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both:

  • There’s a limited number of IPv4 addresses that are available in the subnet that the primary network interface is in. This might limit the number of pods that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available IPv4 addresses available for pods.
  • For security reasons, your pods might need to use a different subnet or security groups than the node’s primary network interface.
  • The nodes are configured in public subnets, and you want to place the pods in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn’t include a route to an internet gateway.

Considerations

  • With custom networking enabled, no IP addresses assigned to the primary network interface are assigned to pods. Only IP addresses from secondary network interfaces are assigned to pods.
  • If your cluster uses the IPv6 family, you can’t use custom networking.
  • If you plan to use custom networking only to help alleviate IPv4 address exhaustion, you can create a cluster using the IPv6 family instead. For more information, see Tutorial: Assigning IPv6 addresses to pods and services .
  • Even though pods deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node’s primary network interface, the subnets and security groups must be in the same VPC as the node.

image-20221101223855672

实验: https://www.eksworkshop.com/beginner/160_advanced-networking/secondary_cidr/

https://aws.github.io/aws-eks-best-practices/networking/custom-networking/