SecurityGroupPolicy not applied to DaemonSet

Fabio B.

5/1/24, 7:14 AM

In my EKS cluster, I have a deployment and a daemonset.

The following SGP binds my deployment's pods to a couple of SecurityGroups I need:

apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: efs-csi-controller
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      app: efs-csi-controller
  securityGroups:
    groupIds:
      - sg-11111111111111111
      - sg-22222222222222222

That works. But I need another set of pods to have the same security groups attached, as well.
This time it's a DaemonSet, though.

My 2nd SGP has a different name and selector:

podSelector:
    matchLabels:
      app: efs-csi-node

The problem is: the SGP doesn't seem to have an effect on my DaemonSet!
The vpc.amazonaws.com/pod-eni isn't applied, and I don't see any relevant message in the pods k8s events.
That behaviour doesn't seem to be documented anywhere.
Is there any limitation on SGP applied to DaemonSet, or am I missing something else?

0 + 0

amazon-web-services

kubernetes

amazon-eks

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SecurityGroupPolicy not applied to DaemonSet

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.