-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Ability to specify additional node security group rules #97
Comments
The proposed API for additionalNodeSecurityGroupRules: pulumi.Input<{
egress?: pulumi.Input<pulumi.Input<{
cidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
description?: pulumi.Input<string>;
fromPort: pulumi.Input<number>;
ipv6CidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
prefixListIds?: pulumi.Input<pulumi.Input<string>[]>;
protocol: pulumi.Input<string>;
securityGroups?: pulumi.Input<pulumi.Input<string>[]>;
self?: pulumi.Input<boolean>;
toPort: pulumi.Input<number>;
}>[]>,
ingress?: pulumi.Input<pulumi.Input<{
cidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
description?: pulumi.Input<string>;
fromPort: pulumi.Input<number>;
ipv6CidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
prefixListIds?: pulumi.Input<pulumi.Input<string>[]>;
protocol: pulumi.Input<string>;
securityGroups?: pulumi.Input<pulumi.Input<string>[]>;
self?: pulumi.Input<boolean>;
toPort: pulumi.Input<number>;
}>[]>
}>; rules that will be simply merged with the default rules in Although I'd prefer nodeSecurityGroupTransform?: (pulumi.Input<aws.ec2.SecurityGroup>) => pulumi.Input<aws.ec2.SecurityGroup>; which can either mutate the provided security group, or return a new one. @lukehoban @metral What do you think? |
I'm thinking option 1 is the best path forward here as it makes expectations clear about the user brings and what the cluster requires. @lukehoban thoughts? |
agree that option 1 is better because a) the alb ingress group implementation relies on the EKS node-security group; and b) nodes allow for multiple security groups; When implementing this the logic 1 thing to consider is that the ALB/ELB/NLB in k8s will use the default security group on the node with the clustertag. If a new SG with the same clustertag is found then an error will be logged, so we need to factor that in when implementing option 1. |
Closing in favor of #275 |
Currently the node security group rules are hardcoded in securitygroup.ts:35, and the only way to alter them is to create the security group ourselves, copy-paste those rules, add additional ones, and send it in
nodeSecurityGroup
when creating a cluster or node group.My specific use case for this is allowing SSH to a cluster / node group's nodes.
In the name of convenience, I can think of 3 ways to improve this:
transformations
callback inConfigGroup
, for example).allowSSH
property inClusterOptions
/ClusterNodeGroupOptions
.The text was updated successfully, but these errors were encountered: