Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply clusterSecurityGroupTags to the EKS created primary Cluster Security Group #1194

Open
sanketg86 opened this issue Jun 13, 2024 · 4 comments
Open

Apply clusterSecurityGroupTags to the EKS created primary Cluster Security Group #1194

sanketg86 opened this issue Jun 13, 2024 · 4 comments
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features

Comments

@sanketg86
Copy link

sanketg86 commented Jun 13, 2024
edited
Loading

What happened?

When I try to use clusterSecurityGroupTags parameter in eks.cluster package to create cluster and assign some more tags to Cluster security group, it assigned to additional security group.

Example


new eks.Cluster('eks-cluster',
      {
        name: 'eks-cluster',
        vpcId: vpc.id,
        serviceRole: eksRole,
        encryptionConfigKeyArn: kmsKey.arn,
        instanceRole: workerNodeRole,
        instanceProfileName: nodeInstanceProfile.name,
        skipDefaultNodeGroup: true,
        createOidcProvider: true,
        endpointPrivateAccess: true,
        endpointPublicAccess: true,
        useDefaultVpcCni: true,
        clusterSecurityGroupTags: { // <--- These listed tags must goes to actual cluster security group
          Name: 'eks-cluster',
          'karpenter.sh/discovery': 'eks-cluster' 
        },
        version: 1.29,
}
)

Output of pulumi about

CLI          
Version      3.119.0
Go Version   go1.22.3
Go Compiler  gc

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

Plugins
KIND      NAME        VERSION
resource  aws               6.39.1
resource  eks               2.7.0
resource  kubernetes  4.13.1

Dependencies:
NAME                VERSION
@pulumi/eks         2.7.0
@pulumi/kubernetes  4.13.1
@pulumi/pulumi      3.119.0
@types/node         20.14.2
ts-node             10.9.2
yaml                2.4.5
@pulumi/aws         6.39.1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@sanketg86 sanketg86 added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jun 13, 2024
@rquitales
Copy link
Member

Hi @sanketg86 - I'm not familiar with karpenter and how it does discovery with security group tags, but Is it insufficient for this tags to be within a separate additional security group attached to the EKS cluster? This is how our EKS provider is architected currently since the default security group is created automatically by AWS whenever a new EKS cluster is provision to enable communication between the worker nodes and K8s control plane. There isn't a straightforward way to modify this security group during the pulumi up lifecycle afaict. My understanding is also that additional security groups should behave the same as amalgamating all config within the one created by AWS.

@rquitales rquitales added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Jun 18, 2024
@sanketg86
Copy link
Author

as EKS cluster security group assigned to AWS manage node and if some workload running on AWS managed nodegroup which assigned EKS cluster security group and some workload running on Karpenter managed nodegroup with different security group, they can not communicate with each other.

so I would like to assign same security group to Karpenter nodes which assign to AWS managed nodegroup for that i have to add Karpenter discovery tag to cluster SG.

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Jun 18, 2024
@rquitales rquitales added impact/usability Something that impacts users' ability to use the product easily and intuitively and removed needs-triage Needs attention from the triage team labels Jun 18, 2024
@rquitales
Copy link
Member

Thanks for the additional info here. I'll confer with the team to see if there's a way to resolve this.
cc @flostadler

@flostadler
Copy link
Contributor

@sanketg86 the primary cluster security group is auto created by EKS itself and not within pulumi. You could tag it like this:

const primaryClusterSecurityGroup = cluster.eksCluster.vpcConfig.clusterSecurityGroupId;
new aws.ec2.Tag("exampletagResourceResourceFromEc2tag", {
    key: "my-tag",
    resourceId: primaryClusterSecurityGroup,
    value: "my-value",
});

As an enhancement we could do this for users automatically unless they opt out of it.

@flostadler flostadler added kind/enhancement Improvements or new features and removed kind/bug Some behavior is incorrect or out of spec labels Jul 10, 2024
@flostadler flostadler changed the title clusterSecurityGroupTags applied to Additional security group. Must assign to Acutal cluster security group. Apply clusterSecurityGroupTags to the EKS created primary Cluster Security Group Jul 15, 2024
@flostadler flostadler mentioned this issue Oct 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flostadler @sanketg86 @rquitales @pulumi-bot