amazon-vpc-cni-k8s: ENI is not getting associated with POD

What happened: I followed the steps mentioned “https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html” in order to enable security groups for pods. I want to have some security policy between pod-to-pod communication. It is not showing me any ENI created for the security group. I verified it both from the AWS console as well as by describing the pods. Currently my security group has no inbound security rules, which means everything should be blocked, but somehow I am able to connect the pod from other pods in the same namespace.

Describe pods Annotations I have a test pod in bookinfo namespace with the following annotations Annotations: kubectl.kubernetes.io/default-container: productpage kubectl.kubernetes.io/default-logs-container: productpage kubernetes.io/psp: eks.privileged prometheus.io/path: /stats/prometheus prometheus.io/port: 15020 prometheus.io/scrape: true sidecar.istio.io/status: {“initContainers”:[“istio-init”],“containers”:[“istio-proxy”],“volumes”:["istio-envoy ",“istio-data”,“istio-podinfo”,“istio-token”,"istiod-…

As per the “https://www.eksworkshop.com/beginner/115_sg-per-pod/50_deploy/”, it should have “eni id” as one of the annotations. Similarly, when I am seeing it in the AWS console network interface, I don’t see any interface associated with the security group.

I already have ENABLE_POD_ENI=true

kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true

NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME ip-10-105-49-177.us-east-2.compute.internal Ready <none> 17d v1.20.4-eks-6b7464 10.105.49.177 <none> Amazon Linux 2 5.4.117-58.216.amzn2.x86_64 docker://19.3.13

Attach logs eks_i-01d0b4d672b45e4f2_2021-06-11_1418-UTC_0.6.2.tar.gz

What you expected to happen: pods network control (L3) using independent security groups.

How to reproduce it (as minimally and precisely as possible):

• Attach “AmazonEKSVPCResourceController” policy to the EKS Cluster role
• Upgraded the CNI to 1.8 using the below mentioned command
• curl -o aws-k8s-cni.yaml https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.8/config/v1.8/aws-k8s-cni.yaml
• Applied : kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true
• kubectl patch daemonset aws-node
  -n kube-system
  -p ‘{“spec”: {“template”: {“spec”: {“initContainers”: [{“env”:[{“name”:“DISABLE_TCP_EARLY_DEMUX”,“value”:“true”}],“name”:“aws-vpc-cni-init”}]}}}}’

Security Group Policy

apiVersion: vpcresources.k8s.aws/v1beta1 kind: SecurityGroupPolicy metadata: name: bookinfo-policy namepsace: bookinfo spec: serviceAccountSelector: matchLabels: app: productpage securityGroups: groupIds: - sg-xxxxxxx (Replaced the value)

Environment: EKS 1.20

• Kubernetes version (use kubectl version): Client Version: version.Info{Major:“1”, Minor:“18+”, GitVersion:“v1.18.9-eks-d1db3c”, GitCommit:“d1db3c46e55f95d6a7d3e5578689371318f95ff9”, GitTreeState:“clean”, BuildDate:“2020-10-20T22:21:03Z”, GoVersion:“go1.13.15”, Compiler:“gc”, Platform:“linux/amd64”} Server Version: version.Info{Major:“1”, Minor:“20+”, GitVersion:“v1.20.4-eks-6b7464”, GitCommit:“6b746440c04cb81db4426842b4ae65c3f7035e53”, GitTreeState:“clean”, BuildDate:“2021-03-19T19:33:03Z”, GoVersion:“go1.15.8”, Compiler:“gc”, Platform:“linux/amd64”}
• CNI Version : amazon-k8s-cni:v1.8.0
• OS (e.g: cat /etc/os-release): Ubuntu 20.04.2 LTS
• Kernel (e.g. uname -a): Linux ip-10-105-48-49 5.4.0-1045-aws