refactor securityGroup handling to reuse existing securityGroup on worker nodes #1019
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The SecurityGroup management in ALB Ingress controller depends on whether external SecurityGroups
are provided via annotation
alb.ingress.kubernetes.io/security-groups
.external SecurityGroups specified:
from these external SecurityGroups to worker node SecurityGroups.
external SecurityGroups unspecified:
How SecurityGroups on ENI are identified follows process described below:
1. if there are only single SecurityGroup on ENI, that SecurityGroup will be chosen.
2. if there are multiple SecurityGroup on ENI, the single SecurityGroup with tag
kubernetes.io/cluster/<cluster-name>
will be chosen.3. otherwise, error will be raised.
NOTE: older versions will try to create an standalone SecurityGroup which allows from traffic from LB SecurityGroup and attach to worker nodes ENI.
This behavior is changed to above due to un-scalability caused by AWS limits of allow securityGroup per ENI.