Comments (2)
I had run nslookup from a debug container using the same SecurityGroupPolicy and DNS resolution works fine-
~ $ nslookup sts.us-west-2.amazonaws.com
Server: 172.20.0.10
Address: 172.20.0.10:53
Non-authoritative answer:
Non-authoritative answer:
Name: sts.us-west-2.amazonaws.com
Address: 10.80.98.26
Name: sts.us-west-2.amazonaws.com
Address: 10.80.85.195
Name: sts.us-west-2.amazonaws.com
Address: 10.80.118.106
Name: sts.us-west-2.amazonaws.com
Address: 10.80.138.46
~ $ nslookup dynamodb.us-east-1.amazonaws.com
Server: 172.20.0.10
Address: 172.20.0.10:53
Non-authoritative answer:
Non-authoritative answer:
Name: dynamodb.us-east-1.amazonaws.com
Address: 52.119.233.250
from amazon-vpc-cni-k8s.
The question here is why do I need a VPC endpoint when I am on public network and the security group currently allows all ingress and egress connections.
Does this behavior happen after your enabled security groups for pods (on existing pods)?
Does this happen with new pods or new nodes?
What is your SecurityGroupPolicy and security group rules that demonstrate this behavior?
from amazon-vpc-cni-k8s.
Related Issues (20)
- Improve VPC CNI memory by reducing number of things it is caching HOT 6
- Pod stuck in `ContainerCreating` status while waiting for an IP address to get assigned HOT 12
- ip addresses leaking when there are too many ip in cooldown pool HOT 2
- Should node agent be opt-in on vpc CNI HOT 2
- Enhanced subnet discovery should use configurable tags
- make generate-limits script failed due to ENI limit mismatch HOT 3
- Confusing environment variable names HOT 2
- Create secondary ENI when previous ENI isn't full due to lack of IPs in subnet - enhanced subnet discovery
- Need aws-vpc-cni dockerfile in ironbank repo HOT 2
- EKS EBS CSI addon - New node group issue "add cmd: failed to assign an IP address to container" HOT 1
- The user eks:vpc-resource-controller doesn't have permission to patch cninode HOT 5
- Disabling SNAT for non-managed ENIs possible?
- Security Group for pods -ENI without IPv4 address in dual stack subnets HOT 2
- VPC CNI stuck in crash loop without insights HOT 4
- ipamd | Failed to delete eniConfig
- iptables contention between vpc-cni and kube-proxy HOT 7
- Setting MTU on ipv4 egress on a ipv6 only cluster HOT 3
- After enabling hostNetwork on DD Agent, statsd traffic still routed to the old pod's IP until client pods restart
- Compatibility between `ENABLE_SUBNET_DISCOVERY` and `ENABLE_PREFIX_DELEGATION`?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-vpc-cni-k8s.