Terraform-aws-eks: Attach cluster security group to workers

Created on 6 Apr 2020 · 6Comments · Source: terraform-aws-modules/terraform-aws-eks

This module creates a security group for the EKS cluster and a different one for the workers. But from the AWS docs, it seems that the cluster security group is meant to cover the EKS cluster AND all resources that communicate with it, as the worker nodes.

https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

It's especially a problem when using AWS Fargate with EKS. Fargate endpoints use the cluster security group but since the workers are not included in it, they can't communicate with pods in Fargate.

What do you think of adding the cluster security group to all the workers' launch configurations by default?

I'm submitting a...

[ ] bug report
[x] feature request
[ ] support request - read the FAQ first!
[ ] kudos, thank you, warm fuzzy

What is the current behavior?

There is no possibility to add the cluster SG to the workers

What's the expected behavior?

Having the cluster SG covering the workers by default

Environment details

Affected module version: 1.11.0
OS: Ubuntu 18.04
Terraform version: 1.12.24

enhancement

Source

nachomillangarcia

👍10

Most helpful comment

This seems to be related to an error I'm getting after upgrading to EKS 1.16 and v12 of the module. Somehow both the cluster SG and the worker SG both had the kubernetes.io/cluster/mycluster-dev1:owned tag which causes the latest (1.1.7) version of aws-alb-ingress-controller to error with:

2020-05-12T16:39:45.619740437Z E0512 16:39:45.619582 1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed to reconcile securityGroup associations due to failed to reconcile instance securityGroup attachment: expect one securityGroup tagged with kubernetes.io/cluster/mycluster-dev1 on eni eni-0bc58f174743794ac, got 2" "controller"="alb-ingress-controller" "request"={"Namespace":"default","Name":"myapp"}

This is due to the worker security group AND the cluster security group both being tagged with kubernetes.io/cluster/mycluster-dev1:owned. The module will re-apply the tag to the worker security group if I removed it, but not from the cluster security group. I've removed it from the latter in order to get the ALB to work, but am leery of that having consequences down the road.

jeffbehl on 12 May 2020

👍2

All 6 comments

This should be default behaviour as it mimics the behaviour of managed node groups too.
It also simplifies the usage of security groups when we are using a mix of managed and self managed nodegroups too.

rverma-jm on 10 May 2020

👍2

jeffbehl on 12 May 2020

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 10 Aug 2020

I've faced the same issue as @jeffbehl described with EKS 1.16/1.17 and module v12.2.0. alb-ingress-controller failed to update target groups due to duplicated tags kubernetes.io/cluster/mycluster:owned found on a different SG and ingress became completely dysfunctional.

IlyaKochnev on 18 Aug 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 16 Nov 2020

Hi!
I have a same issue as @IlyaKochnev with EKS 1.18 cluster and 13.2.1 module version
Thanks!