It looks like vpc cni doesn't respect except in network policy

[sergei-ak]

Hello! I was trying to implement network policy with VPC CNI addon and it looks like cidr with except doesn't work. I'm trying to allow access from my pod to 0.0.0.0/0 and deny access to internal subnets(including pods, services and instance meta data). And I can reach all ip's including internal services and pods so it looks like network policy agent just ignores except.

Could you clarify if it is supported?

EKS version:

Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.12-eks-2d98532", GitCommit:"0aa16cf4fac4da27b9e9e9ba570b990867f6a3d8", GitTreeState:"clean", BuildDate:"2023-07-28T16:52:04Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}

VPC CNI info:

➜ aws eks describe-addon --cluster-name xxx --addon-name vpc-cni --query addon.addonVersion --output text
v1.15.0-eksbuild.2

➜ kubectl -n kube-system get ds aws-node -o yaml | grep network-policy
        - --enable-network-policy=true
        image: 602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.2-eksbuild.1

➜ kubectl -n kube-system get cm amazon-vpc-cni -o yaml | grep -i network-policy
  enable-network-policy-controller: "true"

And here is the network policy:

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-everything-but-rfc1918
spec:
  podSelector:
    matchLabels:
      app: network-policy-test
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 172.16.0.0/12
              - 192.168.0.0/16
              - 169.254.169.254/32

[jayanthvn]

Hi, this is fixed on the nodeagent master branch and we will be releasing a new cni/nodeagent version with the fix this week. Ref - aws/aws-network-policy-agent#58

[sergei-ak]

Thank you @jayanthvn looking forward to it!

[sergei-ak]

Yep, it works, thank you!