From 8d9ccae1a75a6f2735772d571709de08854bb27b Mon Sep 17 00:00:00 2001
From: Shaun Crampton <shaun@tigera.io>
Date: Wed, 16 Jul 2025 15:40:38 +0100
Subject: [PATCH 1/2] Add note about enabled ANNOTATE_POD_IP setting to EKS
 guide.

---
 calico/getting-started/kubernetes/managed-public-cloud/eks.mdx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx b/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
index 4d99f037a1..7b257cfae9 100644
--- a/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
+++ b/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
@@ -38,6 +38,7 @@ When using the Amazon VPC CNI plugin, $[prodname] does not support enforcement o
 ***Prerequisites***
 
 * You [disabled network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html). 
+* You [configured AWS VPC CNI to annotate Pods with their IPs](https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#annotate_pod_ip-v193).  Note the requirement to grant the "patch" permission to the `aws-node` daemon set.  Without this setting, pod IPs can propagate slowly when Kubernetes is under load resulting in slow policy application after pod creation.
 
 1. First, create an Amazon EKS cluster.
 

From 9ae943f25d8005c4e5b747942f3ed41af7ddb781 Mon Sep 17 00:00:00 2001
From: Shaun Crampton <shaun@tigera.io>
Date: Mon, 21 Jul 2025 15:48:22 +0100
Subject: [PATCH 2/2] Move EKS cluster requirements under "create an Amazon EKS
 cluster"

---
 .../kubernetes/managed-public-cloud/eks.mdx   | 23 +++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx b/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
index 7b257cfae9..4dd7155c40 100644
--- a/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
+++ b/calico/getting-started/kubernetes/managed-public-cloud/eks.mdx
@@ -35,10 +35,6 @@ When using the Amazon VPC CNI plugin, $[prodname] does not support enforcement o
 
 :::
 
-***Prerequisites***
-
-* You [disabled network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html). 
-* You [configured AWS VPC CNI to annotate Pods with their IPs](https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#annotate_pod_ip-v193).  Note the requirement to grant the "patch" permission to the `aws-node` daemon set.  Without this setting, pod IPs can propagate slowly when Kubernetes is under load resulting in slow policy application after pod creation.
 
 1. First, create an Amazon EKS cluster.
 
@@ -46,6 +42,25 @@ When using the Amazon VPC CNI plugin, $[prodname] does not support enforcement o
    eksctl create cluster --name  <my-calico-cluster>
    ```
 
+   Do **not** enable [network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html); it conflicts with $[prodname].
+
+1. Configure AWS VPC CNI to [annotate Pods with their IPs](https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#annotate_pod_ip-v193).
+   Note the requirement to grant the "patch" permission to the `aws-node` daemon set to avoid permission errors.
+   This setting ensures that pod IPs propagate quickly from AWS VPC CNI to $[prodname].
+
+    ```bash
+    cat << EOF > append.yaml
+    - apiGroups:
+      - ""
+      resources:
+      - pods
+      verbs:
+      - patch
+    EOF
+    kubectl apply -f <(cat <(kubectl get clusterrole aws-node -o yaml) append.yaml)
+    kubectl set env  -n kube-system daemonset/aws-node ANNOTATE_POD_IP=true
+    ```
+
 1. Install the Tigera Operator and custom resource definitions.
 
    ```bash