Option to skip creating node and cluster security groups #747
Comments
vinay-kosaraju
added
kind/enhancement
|
@roothorp could you take a look and prioritize accordingly? |
|
NOTE: skipDefaultNodeGroup should be implied by skipping security group. |
|
Quick update, apologies for the further delay but we decided to defer this item until the upcoming major release of the provider. It appears that the current signature implies that the eks.Cluster resource must return non-optional Node Security Group and Cluster Ingress rule. Making these optional is a technically breaking change, and we considered sending some sentinel values but decided against it for the moment. IN the upcoming major release the default NodeGroup is going to be removed; the default behavior will use a ManagedNodeGroup but there will be a way to opt out of it. We will need to revisit these settings in the new context, likely will be either removed or moved optional for special cases and not used by default. We will track this item and follow up as part of the major release work. |
|
Added to epic https://github.com/pulumi/home/issues/3558 |
Pulumi EKS currently always creates a cluster security group and node security group. - The cluster security group gets assigned to the control plane ENIs in addition to the security group EKS creates (see [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)). This security group gets an ingress rule from the node security group. - The node security group gets assigned to `NodeGroup` and `NodeGroupV2` components that do not specify a custom security group. Users that either manage the node security themselves or use the `ManagedNodeGroup` component (uses the EKS created SG) do not need those default security groups. This change adds a flag on the cluster (`skipDefaultSecurityGroups`) that will skip creating those default security groups. Instead. This introduces a small breaking change, the `clusterSecurityGroup`, `nodeSecurityGroup` and `clusterIngressRule` outputs are now optional. The impact of this should be minimal because users that create custom node groups usually do not use the security groups of the cluster for that. If they do, they need to add a null check. Fixes #747
|
We've addressed this as part of #1416. This will be released with EKS v3 |
Pulumi EKS currently always creates a cluster security group and node security group. - The cluster security group gets assigned to the control plane ENIs in addition to the security group EKS creates (see [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)). This security group gets an ingress rule from the node security group. - The node security group gets assigned to `NodeGroup` and `NodeGroupV2` components that do not specify a custom security group. Users that either manage the node security themselves or use the `ManagedNodeGroup` component (uses the EKS created SG) do not need those default security groups. This change adds a flag on the cluster (`skipDefaultSecurityGroups`) that will skip creating those default security groups. Instead. This introduces a small breaking change, the `clusterSecurityGroup`, `nodeSecurityGroup` and `clusterIngressRule` outputs are now optional. The impact of this should be minimal because users that create custom node groups usually do not use the security groups of the cluster for that. If they do, they need to add a null check. Fixes #747
Hello!
Issue details
Currently, it looks like node security group and cluster security group with default ingress and egress rules are created if they are not specified in the cluster args.
Could we please get an option to skip creation of the security groups and let EKS create the security group with default rules? (https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
The text was updated successfully, but these errors were encountered: