I've got argocd deployed on EKS, with ingress running on top of AWS Load Balancer Controller.
Alb controller is deployed in kube-system. Argo is deployed in argocd namespace with internal alb created with ingress annotations. Everything works till I enabled Network Policy via vpc-cni addon. Once Network Policy is in place, it also restrict traffic from alb and gives me 504 Gateway Time-out.
My logic was quite obvious when creating Network Policy. Started with allowing traffic from kube-system namespace and argocd namespace:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: argocd
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
Tried different combinations of above, even added multiple from blocks to cover all namespaces that exists in the cluster. Tried whitelisting by IPs, both eks subnets and even whole vpc cidr.
- from:
- ipBlock:
cidr: x.x.x.x/x #ip block used by vpc
I looked up other similar issues, extended alb idle time from 60 to 300s didn't change a thing. I'm running out of ideas. Anyone made it work? What am I missing?
