In my EKS cluster, I have a deployment and a daemonset.
The following SGP binds my deployment's pods to a couple of SecurityGroups I need:
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: efs-csi-controller
namespace: kube-system
spec:
podSelector:
matchLabels:
app: efs-csi-controller
securityGroups:
groupIds:
- sg-11111111111111111
- sg-22222222222222222
That works. But I need another set of pods to have the same security groups attached, as well.
This time it's a DaemonSet, though.
My 2nd SGP has a different name and selector:
podSelector:
matchLabels:
app: efs-csi-node
The problem is: the SGP doesn't seem to have an effect on my DaemonSet!
The vpc.amazonaws.com/pod-eni isn't applied, and I don't see any relevant message in the pods k8s events.
That behaviour doesn't seem to be documented anywhere.
Is there any limitation on SGP applied to DaemonSet, or am I missing something else?
