OCPBUGS-85153 AWS custom security groups should address SG quotas

[bscott-rh]

Version(s):
4.22

Issue:
https://redhat.atlassian.net/browse/OCPBUGS-85153

Link to docs preview:
Account limits
Optional: Security groups

QE review:

• QE has approved this change.

This PR also moves some links to Additional Resources to satisfy Vale.

[bscott-rh]

/retest

[ocpdocs-previewbot]

🤖 Tue May 19 18:44:48 - Prow CI generated the docs preview:

https://111466--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/installing-aws-account.html
https://111466--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/ipi/installing-aws-localzone.html
https://111466--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/ipi/installing-aws-private.html
https://111466--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/ipi/installing-aws-specialized-region.html
https://111466--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/ipi/installing-aws-vpc.html

[tthvo]

LGTM. I just have some suggestions (nits) :D

[tthvo]

/lgtm

Looks great from my end 👍

[mdeore]

I have a few suggestions to improve clarity and understanding.

[mdeore]

Suggestion:
By default, {aws-short} allows 5 security groups per network interface. If you are installing a cluster into an existing VPC and add 3 or more additional security groups in the install-config.yaml file, the installation completes successfully, but the additional security groups are applied only to compute nodes and not to control plane nodes and resulting in a SecurityGroupsPerInterfaceLimitExceeded error in installation logs. You must increase the quota for security groups per network interface to 3 + the number of additional security groups, because the installation program creates 3 security groups for the control plane nodes and 2 + the number of additional security groups for the compute nodes. The maximum supported quota is 16.

[mdeore]

• Stating that the installation will fail is somewhat misleading for customers, because the installation completes successfully; however, the additional security groups are not applied to the control plane nodes.

• As these security groups are also added to worker nodes, we should also add this 2 + the number of additional security groups information.

[mdeore]

Suggestion:
By default, {aws-short} allows 5 security groups per network interface. If you are installing a cluster into an existing VPC and add 3 or more additional security groups in the install-config.yaml file, the installation completes successfully, but the additional security groups are applied only to compute nodes and not to control plane nodes, resulting in a SecurityGroupsPerInterfaceLimitExceeded error in installation logs. You must increase the quota for security groups per network interface to 3 + the number of additional security groups, because the installation program creates 3 security groups for the control plane nodes and 2 + the number of additional security groups for the compute nodes. The maximum supported quota is 16.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@bscott-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.