Kops: Master security groups and node security groups should be created when creating a new cluster
The --master-security-groups and --node-security-groups flags only work when creating a cluster in an existing vpc, it would be good if these security groups were created as part of the cluster creation otherwise it has to create the masters/nodes then drop them again to add the security groups via kops edit ig .... as part of the update.
a1dutch
All 2 comments
You need an existing vpc to use extra groups. So we kinda have a chicken and egg problem. Causaulity delema. Unless I am not understanding your request. More details please.
chrislovecnm
on 11 Aug 2017
Correct. We use kops to build our cluster. We have one service for which we must use hostport/nodeport and cannot go through any kind of load balancer. To open a port to the service is a problem as the Security Group to add to additionalSecurityGroups does not exist before we need to tell Kops its ID so it can use it to build the cluster. Possibilities:
a) Just let us give Kops a port and range that it will open for us on all nodes in an Instance Group as part of the InstanceGroup spec.
b) Have a dns-controller -like operator that creates security groups based on node annotations.
greg-jaunt
on 6 Sep 2017
Related issues
endejoli
路
4Comments
RXminuS
路
5Comments
lnformer
路
3Comments
drewfisher314
路
4Comments
mikejoh
路
3Comments
Most helpful comment
Correct. We use kops to build our cluster. We have one service for which we must use hostport/nodeport and cannot go through any kind of load balancer. To open a port to the service is a problem as the Security Group to add to additionalSecurityGroups does not exist before we need to tell Kops its ID so it can use it to build the cluster. Possibilities:
a) Just let us give Kops a port and range that it will open for us on all nodes in an Instance Group as part of the InstanceGroup spec.
b) Have a dns-controller -like operator that creates security groups based on node annotations.