[EKS] [request]: Kubernetes AdminNetworkPolicy Support

[danehans]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Add native Kubernetes AdminNetworkPolicy API support to the VPC CNI plugin.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'm looking for the default EKS networking plugin to implement the Kubernetes AdminNetworkPolicy API, so I can run secure, zero-trust multi-tenant clusters. The Kubernetes Network Policy v1 API does not meet my requirements, specifically user stories 1 and 2 from the upstream user stories.

Are you currently working around this issue? Replacing the VPC CNI plugin with OVN Kubernetes.

Additional context Several other CNI implementations plan to support the AdminNetworkPolicy API.

[jimmyjones2]

This should also support egress restrictions based on FQDN / domain names in addition to CIDR ranges in AdminNetworkPolicy as per NPEP-133. Specifying static IPs of services is very brittle if they're hosted in a cloud environment as they can often change.

Example:

apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: allow-my-service-egress
spec:
  priority: 55
  subject:
    namespaces:
      matchLabels:
        kubernetes.io/metadata.name: "monitoring"
  egress:
  - name: "allow-to-my-service"
    action: "Allow"
    to:
    - domainNames:
      - "my-service.com"
      - "*.cloud-provider.io"
    ports:
    - portNumber:
        protocol: TCP
        port: 443