Disabling SNAT for non-managed ENIs possible?

[muelleme]

What happened:

Hello!

We have a use-case where we run pods with EKS in host network mode and attach a 2nd ENI to the node. The 2nd ENI is tagged with node.k8s.amazonaws.com/no_manage: true and we expected it to be completely left alone by the CNI. However, the iptables rules set up by the CNI force all traffic going out via that ENI to be SNATed and the source IP gets changed to the primary node IP.
Is that the intended behaviour, and if yes, is there a way to disable this? We do not have a NAT gateway running, so using AWS_VPC_K8S_CNI_EXTERNALSNAT = true is not an option for us, as it breaks all other use cases in the cluster.

Thanks in advance, any help is highly appreciated!

Environment:

• Kubernetes version (use kubectl version): 1.28
• CNI Version v1.15.3-eksbuild.1
• OS (e.g: cat /etc/os-release): amazon-eks-node-1.28-v20240514 AMI

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days