Restrict VPC.SecurityGroup
egress rules validations to self-managed nodes
#7883
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
In the context of creating nodegroups on non-eksctl created clusters, eksctl currently requires that the VPC SG does not contain any outbound rules. This is due to the fact that eksctl adds the ingress and egress rules to the VPC SG using CloudFormation (rules are needed to facilitate communication between self-managed nodes and cluster control plane). In turn, CloudFormation is treated as the only source of truth for SG rules, hence removing any pre-existing rules, leaving users with non-functional clusters due to this undesired behaviour.
Moreover, this validation is currently applied also when creating EKS-managed nodegroups, despite the fact that eksctl does not add any rules for those. This PR restricts the validation to be applied only when creating self-managed nodegroups, as eksctl does not alter any SG rules when creating EKS-managed nodegroups.
Part of #7176
Checklist
README.md
, or theuserdocs
directory)area/nodegroup
) and kind (e.g.kind/improvement
)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯