Move from TagResources to CreateTags for ENI Tagging about amazon-vpc-cni-k8s HOT 5 CLOSED

The permissions for CreateTag on ENI can be scoped to something like:

        {
            "Action": [
                "ec2:CreateTags"
                ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*"
                ],
            "Effect" : "Allow"
        }

from amazon-vpc-cni-k8s.

Right now, it looks like we tag the ENI with k8s-eni-key=<instance-id>. I have a few questions about this implementation.

1. Shouldn't we add the well known tag kubernetes.io/<clustername>=<owned|shared>, as this is, as far as I can find, the standard way to track kubernetes-related resources?
2. Who are the known consumers of the k8s-eni-key tag?

from amazon-vpc-cni-k8s.

In order to get the cluster name, we could look for the existence of an env var CLUSTER_NAME or similar, and only create kubernetes.io/cluster/$CLUSTER_NAME=owned if it exists.

from amazon-vpc-cni-k8s.

@nckturner great idea if we can also tag ENI with cluster name.

Today, k8s-eni-key can be very helpful for debugging. If there is a ENI leaking, we can use k8s-eni-key to figure out which aws-node's ipamD is leaking it. Then, we can focus on debugging that particular node's ipamD.

from amazon-vpc-cni-k8s.

Ok, what do you think about renaming it to something more descriptive? I was thinking something using a format similar to Kubernetes well known labels, similar to the cluster name tag previously mentioned. node.amazonaws.com/instance-id=i-0d8928dd968701ba6 or node.amazonaws.com/i-0d8928dd968701ba6=owned.

Referencing this issue, the tag kubernetes.io/cluster/<clustername>=<owned|shared> was chosen as formatted (with the cluster name in the key) for querying efficiency, but we can query by tag:key=value, so I'm not sure where the efficiency gains come from.

from amazon-vpc-cni-k8s.