From 61b0c421f0bcf1b403e54b80e5612cb6be63738b Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Tue, 8 Oct 2024 21:04:49 +0000 Subject: [PATCH] Document the limitation of SGP with kube-proxy IPVS mode. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a4ed6e4473..57113f8198 100644 --- a/README.md +++ b/README.md @@ -516,6 +516,7 @@ Valid Values: `strict`, `standard` Once `ENABLE_POD_ENI` is set to `true`, this value controls how the traffic of pods with the security group behaves. * `strict` mode: all inbound/outbound traffic from pod with security group will be enforced by security group rules. This is the **default** mode if POD_SECURITY_GROUP_ENFORCING_MODE is not set. + * `strict` mode is supported when kube-proxy configured in `iptables` mode (default with EKS). If kube-proxy is configured in `ipvs` mode, please set `POD_SECURITY_GROUP_ENFORCING_MODE` to `standard`. * `standard` mode: the traffic of pod with security group behaves same as pods without a security group, except that each pod occupies a dedicated branch ENI. * inbound traffic to pod with security group from another host will be enforced by security group rules.