Try   HackMD

Secondary IP Mode

The secondary IP mode was the original networking mode for Amazon VPC CNI. VPC CNI (secondary IP mode) was built from the ground up to allow EKS to fulfill all Kubernetes networking needs. As of today, EKS supports Secondary IP as the default mode for VPC CNI.

In secondary IP mode, the CNI plugin uses Elastic Network Interface (ENI) for Pod networking. The CNI allocates ENIs to each worker node and uses the secondary IP range from each ENI for pods. The CNI pre-allocates ENIs and IP addresses for faster pod startup by maintaining a warm pool. When the number of pods running on the node exceeds the number of addresses that can be assigned to a single network interface, the plugin starts allocating a new network interface, as long as the maximum number of network interfaces for the instance aren't already attached.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

In this mode, each pod you deploy is assigned one secondary private IP address from one of the network interfaces attached to the instance. Since each Pod uses an IP address, the number of Pods you can run on a particular EC2 Instance depends on how many ENIs can be attached to it and how many IP addresses it supports. You can use following formula to determine maximum no of pods you can deploy on a node.

(Number of network interfaces for the instance type × (the number of IP addressess per network interface - 1)) + 2

For a list of the maximum number of pods supported by each instance type, see eni-max-pods.txt on GitHub. Please be aware system pods also count towards the maximum pods.

Recommendations

Size your subnets for growth

Sizing your subnets for growth will prevent your subnets from running out of IP addresses as your Pods and nodes scale. You will not be able to create new Pods or nodes if the subnets don’t have available IP addresses.

If you need to constrain the IP addresses the CNI caches, then you can use warm pool CNI environment variables.

  • WARM_IP_TARGET — Number of free IP addresses the CNI should keep available.
  • MINIMUM_IP_TARGET — Number of minimum IP addresses the CNI should allocate at node startup.
  • WAM_ENI_TARGET - Number of minimum ENI the CNI should keep available (default is 1).

!!! info

  • Configure the value of MINIMUM_IP_TARGET to closely match the number of Pods you expect to run on your nodes. Doing so will ensure that as Pods get created, the CNI can assign IP addresses from the warm pool without calling the EC2 API.
  • It is recommended to use default value of 1 for WARM_ENI_TARGET. It's a good balance between having too many unused IPs attached, and the risk of being throttled by the EC2 API. Please note WARM_ENI_TARGET value will be ignored when you set MINIMUM_IP_TARGET.

!!! Warning

  • Avoid setting the value of WARM_IP_TARGET too low as it will cause additional calls to the EC2 API, and that might cause throttling of the requests.
  • Avoid the WARM_IP_TARGET setting for large clusters or if the cluster has high pod churn. Setting it will cause additional calls to the EC2 API, and that might cause throttling of the requests. You should set MINIMUM_IP_TARGET along with WARM_IP_TARGET for large clusters with high Pod churn.
  • Setting the WARM_IP_TARGET value too high on a highly constrained VPC might result in IP exhaustion issues and failure of workloads, hence must be avoided.

Cluster Type

Consider using VPC CNI in secondary IP mode for running ephermal clusters that are used for testing. It is an ideal setting for greenfield use cases and for customers who have recently migrated to EKS. You can also use secondary IP mode when there are no IP or overlapping CIDR constraints. The Secondary IP mode is only available on IPv4 clusters. Consider prefix assignment mode (IPv4) if you are having problems with IP density and IPv6 if you are having problems with IP density and running out of IP space.

Last changed by 
sheetjos
22
1221

Read more

Prefix Mode (v2)

In the default mode of the VPC CNI, without prefix delegation, singular IP addresses are assigned to ENIs. With prefix delegation, a range of IP addresses is assigned to an ENI. Traffic to an address within the assigned range is directed to the ENI. This greatly increases the number of IP addresses, and thus pods, that may be on a single node. More specifically, you can assign a private CIDR range (network prefix) to your network interfaces (ENIs) on EC2 instances. IPv4 and IPv6 ranges may be assigned to an ENI. The prefix assignments may be manually or automatically managed. Amazon VPC CNI assigns network prefixes to Amazon EC2 network interfaces to increase the number of IP addresses available to nodes and increase pod density per node. You can configure version 1.9.0 or later of the Amazon VPC CNI add-on to assign IPv4 and IPv6 CIDR instead of assigning individual IP addresses to network interfaces. [[GDC: JC do you prefer "ENABLE_PREFIX_DELEGATION is set to true" as the first line (techincal accuracy) or "When prefix delgation is enabled" (more general, users should follow the link to learn how to enable)]]

Jul 5, 2022
VPC Considerations (v2)

Operating an EKS cluster requires knowledge of VPC networking, in addition to Kubernetes networking. We recommend you understand the EKS control plane communication mechanisms before you start to plan your VPC or use existing VPCs to create Kubernetes clusters. Refer to Cluster VPC considerations and Amazon EKS security group considerations when architecting a VPC and subnets to be used with EKS. [[GDC: SJ & JC - I'm skeptical that the below section is relevant to the BPG. It's more than a general introduction to the reccomendations. The customer and AWS VPCs are a key part of EKS.]] EKS Control Plane Communication An EKS cluster consists of two VPCs:

Jul 5, 2022
Amazon EKS Best Practices Guide for Networking (v2)

It is critical to understand Kubernetes networking to operate your applications efficiently. This section of the EKS Best Practices advises on different cluster networking modes. How to use this guide? This guide introduces the Amazon VPC Container Network Interface (CNI) in the context of Kubernetes networking. The VPC CNI is highly configuable to support different use cases. This guide further includes dedicated sections on different VPC CNI use cases, operating modes, and sub-components. Generally, the VPC CNI plugin coordinates VPC resources with a Kubernetes Cluster. THE VPC CNI implements Kubernetes networking concepts using native AWS resources. Kubernetes Networking

Jul 1, 2022
Configuring Multus on EKS

A CNI is the container network interface that provides an application programming interface to configure network interfaces in containers. Multus CNI is a container network interface plugin for Kubernetes that enables attaching multiple network interfaces to Pods. In Kubernetes, each Pods has only one network interface by default, other than local loopback. With Multus, you can create multi-homed Pods that have multiple interfaces. Multus acts as ‘meta’ plugin that can call other CNI plugins to configure additional interfaces. Multiple network interfaces for Pods are useful in various use cases; examples include: Traffic splitting: Running network functions (NF) that require separation of control/management, and data/user plane network traffic to meet low latency Quality of Service (QoS) requirements. Performance: Additional interfaces often leverage specialized hardware specifications such as Single Root I/O Virtualization (SR-IOV) and Data Plane Development Kit (DPDK), which bypass the operating system kernel for increased bandwidth and network performance. Security: Supporting multi-tenant networks with strict traffic isolation requirements. Connecting multiple subnets to Pods to meet compliance requirements. What is a Multi-Homed Pods? The Multus CNI plugin allows Pods to have multiple interfaces in Kubernetes. The current version of EKS support for Multus bundles Amazon VPC CNI as the default delegate plugin (which is the only supported and validated default delegate plugin). The default delegate plugin configures the primary network interface (eth0) for Pods to enable Kubernetes control plane traffic, including the IP Address Management (IPAM) for the primary network interface for the Pods.

Jun 29, 2022
Read more from sheetjos
Published on HackMD