Merge pull request #87 from worldcoin/feat/add-vpc-cni-network-policy-support

INFRA-6052: Add VPC CNI Network Policy support

Author: marcin-janas

cluster-addons.tf

@@ -73,17 +73,27 @@ resource "aws_eks_addon" "vpc_cni" {
   addon_version               = var.vpc_cni_version_override == "" ? local.vpc_cni_version[var.cluster_version] : var.vpc_cni_version_override
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"
-  configuration_values = jsonencode({
-    env : merge({
-      ENABLE_PREFIX_DELEGATION : lower(tostring(var.vpc_cni_enable_prefix_delegation)),                   # Enable prefix delegation for IPv6, allocate IPs in /28 blocks (instead of all at once)
-      WARM_IP_TARGET : var.vpc_cni_warm_ip_target,                                                        # Keep +4 IPs warm for each node to speed up pod scheduling
-      WARM_ENI_TARGET : var.vpc_cni_warm_eni_target,                                                      # Keep +1 ENI warm for each node to speed up pod scheduling
-      POD_SECURITY_GROUP_ENFORCING_MODE : lower(tostring(var.vpc_cni_pod_security_group_enforcing_mode)), # Enable pod security group enforcing mode
-      AWS_VPC_K8S_CNI_EXTERNALSNAT : lower(tostring(var.vpc_cni_external_snat)),                          # Enable external SNAT to enable pod to pod communication across different vpc's
-      }, var.vpc_cni_enable_pod_eni ? {
-      ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)), # Enable pod ENI support
-    } : {})
-  })
+  configuration_values = jsonencode(merge(
+    {
+      env : merge({
+        ENABLE_PREFIX_DELEGATION : lower(tostring(var.vpc_cni_enable_prefix_delegation)),                   # Enable prefix delegation for IPv6, allocate IPs in /28 blocks (instead of all at once)
+        WARM_IP_TARGET : var.vpc_cni_warm_ip_target,                                                        # Keep +4 IPs warm for each node to speed up pod scheduling
+        WARM_ENI_TARGET : var.vpc_cni_warm_eni_target,                                                      # Keep +1 ENI warm for each node to speed up pod scheduling
+        POD_SECURITY_GROUP_ENFORCING_MODE : lower(tostring(var.vpc_cni_pod_security_group_enforcing_mode)), # Enable pod security group enforcing mode
+        AWS_VPC_K8S_CNI_EXTERNALSNAT : lower(tostring(var.vpc_cni_external_snat)),                          # Enable external SNAT to enable pod to pod communication across different vpc's
+        }, var.vpc_cni_enable_pod_eni ? {
+        ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)), # Enable pod ENI support
+      } : {})
+    },
+    var.vpc_cni_enable_network_policy ? {
+      enableNetworkPolicy : lower(tostring(var.vpc_cni_enable_network_policy))
+    } : {},
+    var.vpc_cni_enable_network_policy ? {
+      nodeAgent : {
+        enablePolicyEventLogs : lower(tostring(var.vpc_cni_enable_network_policy))
+      }
+    } : {}
+  ))
 }
 
 resource "aws_eks_addon" "coredns" {

main.tf

@@ -94,4 +94,4 @@ resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller_explicit
   role       = each.value
   policy_arn = aws_iam_policy.aws_load_balancer_controller_explicit_deny[0].arn
 }
-  
+

tests/vpc-cni-network-policy.tftest.hcl

@@ -0,0 +1,58 @@
+# Mock (offline) provider
+mock_provider "aws" {
+  source = "./tests/mocks/aws"
+}
+
+mock_provider "datadog" {}
+mock_provider "cloudflare" {}
+
+mock_provider "kubernetes" {
+  source = "./tests/mocks/kubernetes"
+}
+
+variables {
+  kubernetes_provider_enabled = false
+}
+
+# =============================================================================
+# Test: Network policy disabled by default
+# =============================================================================
+run "vpc_cni_network_policy_disabled_by_default" {
+  command = plan
+
+  assert {
+    condition     = var.vpc_cni_enable_network_policy == false
+    error_message = "vpc_cni_enable_network_policy should default to false"
+  }
+
+  assert {
+    condition     = !contains(keys(jsondecode(aws_eks_addon.vpc_cni.configuration_values)), "enableNetworkPolicy")
+    error_message = "enableNetworkPolicy should not be present when disabled"
+  }
+
+  assert {
+    condition     = !contains(keys(jsondecode(aws_eks_addon.vpc_cni.configuration_values)), "nodeAgent")
+    error_message = "nodeAgent should not be present when network policy is disabled"
+  }
+}
+
+# =============================================================================
+# Test: Network policy enabled
+# =============================================================================
+run "vpc_cni_network_policy_enabled" {
+  command = plan
+
+  variables {
+    vpc_cni_enable_network_policy = true
+  }
+
+  assert {
+    condition     = jsondecode(aws_eks_addon.vpc_cni.configuration_values)["enableNetworkPolicy"] == "true"
+    error_message = "enableNetworkPolicy should be 'true' when enabled"
+  }
+
+  assert {
+    condition     = jsondecode(aws_eks_addon.vpc_cni.configuration_values)["nodeAgent"]["enablePolicyEventLogs"] == "true"
+    error_message = "nodeAgent.enablePolicyEventLogs should be 'true' when network policy is enabled"
+  }
+}

variables.tf

@@ -726,6 +726,12 @@ variable "vpc_cni_pod_security_group_enforcing_mode" {
   }
 }
 
+variable "vpc_cni_enable_network_policy" {
+  description = "Enable Kubernetes NetworkPolicy enforcement via the VPC CNI node agent"
+  type        = bool
+  default     = false
+}
+
 variable "vpc_cni_external_snat" {
   description = "Needed to enable cross-vpc pod-to-pod communication - see: https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#aws_vpc_k8s_cni_externalsnat"
   type        = string