Description
I've ran into a litany of questions around EKS and NetworkPolicy implementation, so I'm opening this issue to get some answers in case I missed something. Afterwards, I will open a PR to update the documentation so that no one else has to wonder about these things.
Questions
Calico and AWS VPC CNI
I've found this blog post Exploring the Networking Foundation for EKS: amazon-vpc-cni-k8s + Calico, which states the following:
Really, all you need to know is: use amazon-vpc-cni-k8s as the CNI plugin, apply a simple manifest to deploy Calico as a daemonset, and Bob’s your uncle.
...
Our recommendation is: if these are not hard blockers for your deployment, you should use the amazon-vpc-cni-k8s plugin as the simplest and best-performing native networking solution for AWS — and, of course, it is what will come by default with EKS. Whichever networking approach you choose, you can rest assured that you have industry-standard container network security courtesy of Calico.
Do the AWS VPC CNI and Calico work together, or are they exclusive?
From what I understand, the VPC CNI handles networking, but Calico is needed for implementing NetworkPolicy
objects. Is this correct?
Can only Calico be used?
The second paragraph implies that the VPC CNI can be ditched altogether, and that Calico can be used exclusively. Is this still the case? If so, are there existing EKS-specific instructions on how to only use Calico?
Calico and Fargate
From the Installing Calico on Amazon EKS guide, it says:
Calico is not supported when using Fargate with Amazon EKS.
What does this mean exactly? Does this mean that if you have a Fargate profile installed for your cluster at all that the entire Calico networking stack doesn't work? Or does this mean that NetworkPolicy
and GlobalNetworkPolicy
objects will not work when used in / applied to the Fargate namespace?
Calico and GlobalNetworkPolicy
objects
There's very little documentation on these GlobalNetworkPolicy
objects, but the official EKS chart for Calico does install that CRD.
What limitations are there with EKS using crd.projectcalico.org/v1
? The spec document for GlobalNetworkPolicy
on Calico reference projectcalico.org/v3
.
Will projectcalico.org/v3
be supported in the future? If not, what functionality will not work with crd.projectcalico.org/v1
?