Limitations
NodePort
The following limitations exist regarding NodePort policy enforcement and flows:
Only NodePort Services with
externalTrafficPolicyset to "cluster" are supported. (This is the default and most frequently used value for this setting.)When writing rules to allow traffic to flow from external (to the cluster) entities and NodePort Service, the source side of the rule must contain all nodes in the cluster.
For example, given the following setup:
- Worker nodes in the cluster are labeled as Role: Worker Node
- Clients accessing the Service running in the Kubernetes cluster are labeled Role: Client
- The NodePort Service is labeled Role: Ingress
Normally, the rule would be written as Role: Client -> Role: Ingress. However, for thisrelease the rule must also include all nodes in the cluster to work correctly: Role: Client + Role: Worker Node -> Role: Ingress.
Flat Network support in CLAS mode
Using EKS or AKS in a flat network topology, such as EKS with AWS VPC CNI or AKS with Azure CNI, is not supported in CLAS-enabled clusters.