Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there any documentation for making bottlerocket work without the internet access to the instances security group ? #3954

Open
soura49 opened this issue May 13, 2024 Discussed in #3953 · 1 comment
Open

Is there any documentation for making bottlerocket work without the internet access to the instances security group ? #3954

soura49 opened this issue May 13, 2024 Discussed in #3953 · 1 comment
Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/documentation Documentation update/creation

Comments

@soura49
Copy link

soura49 commented May 13, 2024

Discussed in #3953

Originally posted by soura49 May 13, 2024

  • We are using Bottlerocket AMI for EKS-managed Node groups
  • Right Now, We have Egress for Internet open from Node Security Group
  • But when we Remove that it fails to join the cluster and load the kernel modules etc.
  • Is there a list of Internet Calls that Bottlerocket AMI does for starting up?
@soura49 soura49 changed the title Is there any documentation for making bottlerocket work without the internet access to the instances? Is there any documentation for making bottlerocket work without the internet access to the instances security group ? May 13, 2024
@vigh-m vigh-m added the type/documentation Documentation update/creation label May 14, 2024
@larvacea
Copy link
Member

The discussion in #3953 summarized:

  • @jpculp responded with the list of endpoints that Bottlerocket requires: ECR, EKS, IMDS, and SSM.
  • These were not sufficient to unblock @soura49, but adding an endpoint for STS was sufficient. STS is required for IAM roles for service accounts.

Thanks to @soura49 for the report: the answer is no, it's not documented, or at least not documented clearly enough, and we should fix that. Also thanks to @soura49 for so clearly identifying the STS issue, finding documentation, and reporting back once the problem was solved.

@larvacea larvacea added the area/kubernetes K8s including EKS, EKS-A, and including VMW label May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW type/documentation Documentation update/creation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@larvacea @soura49 @vigh-m