[EKS] [request]: FQDN Network Policies

[dkimdon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

I would like support for FQDN Network Policies in EKS. Details on the feature are here: https://cloud.google.com/kubernetes-engine/docs/how-to/fqdn-network-policies

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I want to be able to control what hosts on the Internet pods in Kubernetes are allowed to access. I want the configuration to use FQDN's and/or wildcards then do a DNS lookup and filter based on teh resulting IP.

Our options today for egress control are:

• AWS Network Firewall : This controls egress at the subnet level rather than at the pod level and doesn't use DNS to finds IPs.

• Security groups: Require IPs rather than FQDN's.

There are other options that involve various service meshes or changes to the CNI but I don't want to manage the CNI.

Are you currently working around this issue?

We use AWS Network Firewall.

[claytonolley]

I believe your only option for such outbound control is via an http forward proxy server like squid etc. Network devices such as firewalls generally only work with IP addresses although some devices historically have included http proxy features as addon features.

[claytonolley]

I found this solution that uses squid in ECS, might be what you need? https://aws.amazon.com/blogs/networking-and-content-delivery/providing-controlled-internet-access-through-centralised-proxy-servers-using-aws-fargate-and-privatelink/

[dkimdon]

Thanks for the pointer, I hadn't seen that. That squid config does look similar in function to what I'm looking for. However, it is more complex than network policies. I also don't want to be limited to http since we have at least RabbitMQ hosts that we need to provide controlled access to via the same mechanism.

There is a bit more discussion on FQDN Network Policies here: https://groups.google.com/g/kubernetes-sig-network/c/pPxnx6B_ygI

and here : https://docs.google.com/document/d/1wOO6fgY0PRToJ85yC5WFDywAhwkK0m-ynLrHW-EmuGM/edit

[sjastis]

This is a duplicate of #2180

[sjastis]

Lets track this as part of #2180