AWS eks documentation change
Summary
Fixed typos and grammatical errors in Kubernetes network policy troubleshooting documentation. Corrected 'policies is' to 'policy is', 'container is add' to 'container is added', 'doesn’t effect' to 'doesn’t affect', and clarified permissions requirements.
Security assessment
Changes are grammatical corrections and clarifications of existing content. No security vulnerabilities, exploits, or incident responses are mentioned. The permission clarification maintains existing security guidance but doesn't introduce new security concepts.
Diff
diff --git a/eks/latest/userguide/network-policies-troubleshooting.md b/eks/latest/userguide/network-policies-troubleshooting.md index 217972405..509fdd57a 100644 --- a//eks/latest/userguide/network-policies-troubleshooting.md +++ b//eks/latest/userguide/network-policies-troubleshooting.md @@ -13 +13 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t -# Troubleshooting Kubernetes network policies For Amazon EKS +# Troubleshooting Kubernetes network policies for Amazon EKS @@ -212 +212 @@ Also, a new controller runs in the control plane of each EKS cluster. The contro -Each decision by the VPC CNI whether connections are allowed or denied by a network policies is logged in _flow logs_. The network policy logs on each node include the flow logs for every pod that has a network policy. Network policy logs are stored at `/var/log/aws-routed-eni/network-policy-agent.log`. The following example is from a `network-policy-agent.log` file: +Each decision by the VPC CNI whether connections are allowed or denied by a network policy is logged in _flow logs_. The network policy logs on each node include the flow logs for every pod that has a network policy. Network policy logs are stored at `/var/log/aws-routed-eni/network-policy-agent.log`. The following example is from a `network-policy-agent.log` file: @@ -311 +311 @@ For EKS clusters, the policy logs will be located under `/aws/eks/`cluster-name` -If you enable network policy, a second container is add to the `aws-node` pods for a _node agent_. This node agent can send the network policy logs to CloudWatch Logs. +If you enable network policy, a second container is added to the `aws-node` pods for a _node agent_. This node agent can send the network policy logs to CloudWatch Logs. @@ -463 +463 @@ The following sections describe known issues with the Amazon VPC CNI network pol -If you make a network policy `kind: NetworkPolicy` and it doesn’t effect the pod, check that the policyendpoint object was created in the same namespace as the pod. If there aren’t `policyendpoint` objects in the namespaces, the network policy controller (part of the EKS cluster) was unable to create network policy rules for the network policy agent (part of the VPC CNI) to apply. +If you make a network policy `kind: NetworkPolicy` and it doesn’t affect the pod, check that the policyendpoint object was created in the same namespace as the pod. If there aren’t `policyendpoint` objects in the namespaces, the network policy controller (part of the EKS cluster) was unable to create network policy rules for the network policy agent (part of the VPC CNI) to apply. @@ -465 +465 @@ If you make a network policy `kind: NetworkPolicy` and it doesn’t effect the p -**Solution** : The solution is to fix the permissions of the VPC CNI (`ClusterRole` : `aws-node`) and the network policy controller (`ClusterRole` : `eks:network-policy-controller`) and to allow these actions in any policy enforcement tool such as Kyverno. Ensure that Kyverno policies are not blocking the creation of `policyendpoint` objects. See previous section for the permissions necessary permissions in New policyendpoints CRD and permissions. +**Solution** : The solution is to fix the permissions of the VPC CNI (`ClusterRole` : `aws-node`) and the network policy controller (`ClusterRole` : `eks:network-policy-controller`) and to allow these actions in any policy enforcement tool such as Kyverno. Ensure that Kyverno policies are not blocking the creation of `policyendpoint` objects. See previous section for the necessary permissions in New policyendpoints CRD and permissions.