From 4a4575518137d7abdf44d895196b092e9a90c2cf Mon Sep 17 00:00:00 2001 From: guessi Date: Fri, 31 Oct 2025 17:02:22 +0800 Subject: [PATCH] Improve SGPP docs --- .../networking/security-groups-pods-deployment.adoc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index f22b20a1..3f1d2a32 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -42,7 +42,15 @@ aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCRes + [source,bash,subs="verbatim,attributes"] ---- -kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true +kubectl set env daemonset aws-node -n kube-system -c aws-node ENABLE_POD_ENI=true +---- ++ +The env `ENABLE_POD_ENI` only works for `aws-node` container, if you have set `ENABLE_POD_ENI` to other containers before, you can optionally remove them from the env by the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system -c aws-vpc-cni-init ENABLE_POD_ENI- +kubectl set env daemonset aws-node -n kube-system -c aws-eks-nodeagent ENABLE_POD_ENI- ---- + NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running Pods enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. @@ -58,6 +66,8 @@ kubectl get cninode -A + If you are using VPC CNI versions older than `1.15`, node labels were used instead of the `CNINode` custom resource. You can see which of your nodes have the node label `aws-k8s-trunk-eni` set to `true` with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the Amazon VPC CNI plugin for Kubernetes Pods, which takes several seconds. + +To identify the node with trunk ENI while VPC CNI version is older than `1.15`, use the following command, ++ [source,bash,subs="verbatim,attributes"] ---- kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true