Skip to content

Make advertising port 80 optional #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

Make advertising port 80 optional #107

merged 1 commit into from
Nov 5, 2025

Conversation

@champtar
Copy link
Contributor

@champtar champtar commented Nov 3, 2025

Issue #, if available:

#10

Description of changes:

eks-pod-identity-agent only bind on 169.254.170.23 and fd00:ec2::23 for port 80. By configuring the portmap cni plugin to exclude those 2 addresses

{
  "type": "portmap",
  "capabilities": {"portMappings": true},
  "snat": true,
  "conditionsV4": ['!', '-d', '169.254.170.23'],
  "conditionsV6": ['!', '-d', 'fd00:ec2::23']
}

we can have a pod using hostPort: 80 (let's say ingress-nginx) and eks-pod-identity-agent running on the same node, we just need advertisePort80: false.

see also aws/amazon-vpc-cni-k8s#3497

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@champtar champtar requested a review from a team as a code owner November 3, 2025 21:24
kmala
kmala reviewed Nov 4, 2025
View reviewed changes
@champtar
Make advertising proxy port (port 80) optional
598b058 
eks-pod-identity-agent only bind on 169.254.170.23 and fd00:ec2::23 for port 80.
By configuring the portmap cni plugin to exclude those 2 addresses
```
{
  "type": "portmap",
  "capabilities": {"portMappings": true},
  "snat": true,
  "conditionsV4": ['!', '-d', '169.254.170.23'],
  "conditionsV6": ['!', '-d', 'fd00:ec2::23']
}
```
we can have a pod using `hostPort: 80` (let's say ingress-nginx) and
eks-pod-identity-agent running on the same node, we just need `advertiseProxyPort: false`.
@champtar champtar force-pushed the helm-advertisePort80 branch from b7dcce4 to 598b058 Compare November 4, 2025 21:08
@kmala kmala merged commit 2f8687e into aws:main Nov 5, 2025
1 check passed
@champtar champtar deleted the helm-advertisePort80 branch November 5, 2025 10:55
@champtar
Copy link
Contributor Author

champtar commented Nov 5, 2025

Thanks @kmala
Is there already a release planned ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmala kmala kmala approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@champtar @kmala