containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard
verified publisher icon aws

[EKS] [request]: DNS based policy support

Open sjastis opened this issue 2 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Native capabilities to allow and restrict traffic based on DNS names.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? DNS based policies allow us to control traffic using DNS names, that are human readable and easier to manage than IP addresses. Looking for native support in the default EKS networking plugin to implement these policies.

Are you currently working around this issue? Installing third party plugins that result in operational overhead.

Additional context

sjastis avatar Oct 18 '23 15:10 sjastis

Is there any update on this?

robbo10 avatar Jul 03 '24 17:07 robbo10

Would this be solved with AdminNetworkPolicy in #2243, which supports controlling egress by FQDN?

jimmyjones2 avatar Aug 04 '24 07:08 jimmyjones2

I'm willing to bet that a lot of people move to Cilium because of this missing feature. Surprised there's not more likes on the issue

sourcehawk avatar Dec 08 '24 01:12 sourcehawk

Would love to see this feature

jammerful avatar Mar 05 '25 20:03 jammerful

We're currently running EKS with Cilium (without kube-proxy replacement).

We wanted to leverage additional features like IPVS and LC, but unfortunately, they're not fully supported in this setup. Despite these limitations, we can't deprecate Cilium solely because EKS doesn't natively support FQDN-based network policies.

If EKS could provide native support for this, we'd be able to simplify our setup and fully adopt the AWS CNI. GKE already supports this, so we’re really hoping to see it on EKS as well.

Looking forward to any updates!

jungrae-prestolabs avatar May 07 '25 07:05 jungrae-prestolabs

Would be great to have this. Is anyone working on it currently?

zerodaywolf avatar Jun 30 '25 18:06 zerodaywolf

It’s surprising that AWS hasn’t started addressing this yet; the delay will likely push more users to abandon VPC CNI and explore alternative CNI solutions.

Wyifei avatar Jul 14 '25 07:07 Wyifei

@zerodaywolf and everyone else looking for a similar egress network policy solution, I've released a lightweight kubernetes controller for this exact purpose: https://github.com/konsole-is/fqdn-controller

Hope it helps!

sourcehawk avatar Jul 19 '25 03:07 sourcehawk

Is there any update on this ?

MorLavender avatar Jul 25 '25 01:07 MorLavender

Any update? This is a quite common feature people use with alternative CNI solutions. It would be great if VPC CNI supports it.

steve-todorov avatar Sep 16 '25 21:09 steve-todorov