Support -random-fully this option will fall back to -random. Prng, meaning that -random-fully will be added to the SNAT iptables rule. The default setting for AWS_VPC_K8S_CNI_RANDOMIZESNAT is This setting takes effect whenĪWS_VPC_K8S_CNI_EXTERNALSNAT=false, which is the default setting. Specifies whether the SNAT iptables rule should randomize the outgoing ports for connections. Private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.ĭisable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs,Īnd your pods do not need to access the Internet directly via an Internet Gateway. Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. Used to configure the MTU size for attached ENIs. To select an ENIConfig based upon availability zone set this to /zone and create anĮNIConfig custom resource for each availability zone (e.g. eniConfig or defined key (in ENI_CONFIG_ANNOTATION_DEF) is not set on the node. Note that annotations will take precedence over labels. This should be used when AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true. Note that annotations take precedence over labels. Same Availability Zone that the worker node resides in.įor more information, see CNI Custom Networking
Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the Label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or To true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interfaceĪllocation. Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration.īy default, pods share the same subnet and security groups as the worker node's primary interface. Iptables rules and that the kernel's reverse path filter on the primary interface is set to loose. Specifies whether NodePort services are enabled on a worker node's primary network interface. The following environment variables are available, and all of them are optional.
The Amazon VPC CNI plugin for Kubernetes supports a number of configuration options, which are set through environment variables. And Warm-Pool size is 3 eni * (30 -1) = 87įor a detailed explanation, see WARM_ENI_TARGET, WARM_IP_TARGET and MINIMUM_IP_TARGET. If the number of current running Pods is between 30 and 58, ipamd will allocate 2 more eni.And Warm-Pool size is 2 eni * (30 -1) = 58 If the number of current running Pods is between 0 and 29, ipamd will allocate one more eni.SeeĮlastic Network Interfaces documentation for details. When number of pods running on the node exceeds the number of addresses on a single ENI, the CNI backend start allocatingĪ new ENI and start using following allocation scheme:įor example, a m4.4xlarge node can have up to 8 ENIs, and each ENI can have up to 30 IP addresses. Without anyĬonfiguration, ipamd always try to keep one extra ENI. When a worker node first joins the cluster, there is only 1 ENI along with all of its addresses in the ENI.
#Matrix 7.5 software how to
Troubleshooting Guide provides tips on how to debug and troubleshoot this CNI. The details can be found in Proposal: CNI plugin for Kubernetes networking over AWS VPC.