|
| 1 | +# VpcAssociationPolicy API Reference |
| 2 | + |
| 3 | +## VpcAssociationPolicy |
| 4 | + |
| 5 | +VpcAssociationPolicy is a Custom Resource Definition (CRD) that can be attached to a Gateway to define the ServiceNetworkVpcAssociation configuration. |
| 6 | + |
| 7 | +### Fields of VpcAssociationPolicy |
| 8 | + |
| 9 | +| Field Name | Type | Required | Description | |
| 10 | +|--------------|---------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------| |
| 11 | +| `apiVersion` | *string* | yes | ``application-networking.k8s.aws/v1alpha1`` | |
| 12 | +| `kind` | *string* | yes | ``VpcAssociationPolicy`` | |
| 13 | +| `metadata` | [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | yes | Kubernetes metadata for the resource. | |
| 14 | +| `spec` | *VpcAssociationPolicySpec* | yes | Defines the desired state of VpcAssociationPolicy. | |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +### Fields of VpcAssociationPolicySpec |
| 19 | + |
| 20 | +Appears on: VpcAssociationPolicy |
| 21 | + |
| 22 | +VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. |
| 23 | + |
| 24 | + |
| 25 | + |
| 26 | +| Field Name | Type | Required | Description | |
| 27 | +|--------------------|-----------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
| 28 | +| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | Points to the Kubernetes Gateway resource that will have this policy attached, following the guidelines of [Kubernetes Gateway API policy attachment](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). | |
| 29 | +| `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | |
| 30 | +| `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC Lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail. | |
| 31 | + |
| 32 | + |
| 33 | +Recommended security group inbound rules: |
| 34 | + |
| 35 | +| Source | Protocol | Port Range | Comment | |
| 36 | +|---------------------------------------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| |
| 37 | +| Kubernetes cluster VPC CIDR or security group reference | Protocols defined in the gateway's listener section | Ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | |
| 38 | + |
| 39 | + |
| 40 | +### Limitations and Considerations |
| 41 | + |
| 42 | +When attaching a VpcAssociationPolicy to a resource, the following restrictions apply: |
| 43 | + |
| 44 | +* Policies must be attached to *Gateway* resource. |
| 45 | +* The attached resource must exist in the same namespace as the policy resource. |
| 46 | + |
| 47 | +The security group will not take effect if: |
| 48 | + |
| 49 | +* The `targetRef` gateway does not exist. |
| 50 | +* The `associateWithVpc` field is set to false. |
| 51 | + |
| 52 | + |
| 53 | +**WARNING** |
| 54 | + |
| 55 | +The VPC Lattice `UpdateServiceNetworkVpcAssociation` API cannot be used to remove all security groups. |
| 56 | +If you have a VpcAssociationPolicy attached to a gateway that already has security groups applied, updating the VpcAssociationPolicy with empty security group ids or deleting the VpcAssociationPolicy will NOT remove the security groups from the gateway. |
| 57 | + |
| 58 | +To remove security groups, instead, you should delete VPC Association and re-create a new VPC Association without security group ids by following steps: |
| 59 | +1. Update the VpcAssociationPolicy by setting `associateWithVpc` to false and empty security group ids. |
| 60 | +2. Update the VpcAssociationPolicy by setting `associateWithVpc` to true and empty security group ids. |
| 61 | +` |
| 62 | +Note: Setting `associateWithVpc` to false will disable traffic from the current cluster workloads to the gateway. |
| 63 | + |
| 64 | +## Example Configuration |
| 65 | + |
| 66 | +This example shows how to configure a gateway with `associateWithVpc` set to true and apply security group sg-1234567890 and sg-0987654321 |
| 67 | +``` |
| 68 | +apiVersion: application-networking.k8s.aws/v1alpha1 |
| 69 | +kind: VpcAssociationPolicy |
| 70 | +metadata: |
| 71 | + name: test-vpc-association-policy |
| 72 | +spec: |
| 73 | + targetRef: |
| 74 | + group: "gateway.networking.k8s.io" |
| 75 | + kind: Gateway |
| 76 | + name: my-hotel |
| 77 | + securityGroupIds: |
| 78 | + - sg-1234567890 |
| 79 | + - sg-0987654321 |
| 80 | + associateWithVpc: true |
| 81 | +``` |
0 commit comments