Skip to content

[Doc Improvement] VPC CNI Network Policies Troubleshooting steps #988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
saiteja313 opened this issue Apr 17, 2025 · 0 comments
Open

[Doc Improvement] VPC CNI Network Policies Troubleshooting steps #988

saiteja313 opened this issue Apr 17, 2025 · 0 comments
Assignees
@fincd-aws

Comments

@saiteja313
Copy link

Hello Team,

We do not have steps to analyze network policies in case of failures by network policy manager.

Example: When I create Network Policies in EKS through VPC CNI, CNI Network manager creates Policy Endpoints and uses the Kubernetes ClusterRole eks:network-policy-controller. When a cluster is configured with Kyverno ClusterPolicies to restrict access, Policy Endpoint creation will fail. Kubernetes API Server logs should be checked to analyze the issue.

We need to more troubleshooting scenarios and steps to analyze.

Also, what permissions does network policy manager need.

kubectl get clusterroles eks:network-policy-controller -o yaml

What CRD's does CNI install on the cluster.

$ kubectl get customresourcedefinitions | grep aws
cninodes.eks.amazonaws.com                   2025-04-16T20:20:40Z
cninodes.vpcresources.k8s.aws                2025-04-16T20:18:14Z
ingressclassparams.eks.amazonaws.com         2025-04-16T20:20:35Z
nodeclasses.eks.amazonaws.com                2025-04-16T20:20:48Z
nodediagnostics.eks.amazonaws.com            2025-04-16T20:20:48Z
policyendpoints.networking.k8s.aws           2025-04-16T20:18:14Z
securitygrouppolicies.vpcresources.k8s.aws   2025-04-16T20:18:14Z
targetgroupbindings.eks.amazonaws.com        2025-04-16T20:20:36Z

What apiservices are related to network policies

$ kubectl get apiservices
NAME                              SERVICE                                 AVAILABLE   AGE
v1.                               Local                                   True        20h
v1.admissionregistration.k8s.io   Local                                   True        20h
v1.apiextensions.k8s.io           Local                                   True        20h
v1.apps                           Local                                   True        20h
v1.authentication.k8s.io          Local                                   True        20h
v1.authorization.k8s.io           Local                                   True        20h
v1.autoscaling                    Local                                   True        20h
v1.batch                          Local                                   True        20h
v1.certificates.k8s.io            Local                                   True        20h
v1.coordination.k8s.io            Local                                   True        20h
v1.discovery.k8s.io               Local                                   True        20h
v1.eks.amazonaws.com              Local                                   True        20h
v1.events.k8s.io                  Local                                   True        20h
v1.flowcontrol.apiserver.k8s.io   Local                                   True        20h
v1.karpenter.sh                   Local                                   True        20h
v1.metrics.eks.amazonaws.com      kube-system/eks-extension-metrics-api   True        20h
v1.networking.k8s.io              Local                                   True        20h
v1.node.k8s.io                    Local                                   True        20h
v1.policy                         Local                                   True        20h
v1.rbac.authorization.k8s.io      Local                                   True        20h
v1.scheduling.k8s.io              Local                                   True        20h
v1.storage.k8s.io                 Local                                   True        20h
v1alpha1.eks.amazonaws.com        Local                                   True        20h
v1alpha1.networking.k8s.aws       Local                                   True        20h
v1alpha1.vpcresources.k8s.aws     Local                                   True        20h
v1alpha2.scheduling.run.ai        Local                                   True        20h
v1beta1.metrics.k8s.io            kube-system/metrics-server              True        20h
v1beta1.storage.k8s.io            Local                                   True        20h
v1beta1.vpcresources.k8s.aws      Local                                   True        20h
v2.autoscaling                    Local                                   True        20h
v2.scheduling.run.ai              Local                                   True        20h
v2alpha2.scheduling.run.ai        Local                                   True        20h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fincd-aws fincd-aws

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@saiteja313 @fincd-aws