As per the AWS docs for AWS VPC CNI security groups per pod, pods using security groups per pod will be assigned vlan* interfaces on the nodes, not eni* interfaces as with pods not making use of this functionality. This means that currently kube2iam can either be set up to capture IAM traffic from pods making use of security groups per pod, or those not using it, but not both, unless you pass the interface as +, thus capturing all EC2 metadata traffic for the entire host.
What this PR does / why we need it:
As per the AWS docs for AWS VPC CNI security groups per pod, pods using security groups per pod will be assigned
vlan*
interfaces on the nodes, noteni*
interfaces as with pods not making use of this functionality. This means that currently kube2iam can either be set up to capture IAM traffic from pods making use of security groups per pod, or those not using it, but not both, unless you pass the interface as+
, thus capturing all EC2 metadata traffic for the entire host.Based on existing functionality to allow negative matching of interfaces in uswitch/kiam introduced by https://github.com/uswitch/kiam/pull/54
Which issue this PR fixes
Special notes:
Checklist chart
N/A