Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple security groups are created with the kubernetes.io/cluster tag #1810

Closed
albgus opened this issue Jan 25, 2022 · 4 comments
Closed

Multiple security groups are created with the kubernetes.io/cluster tag #1810

albgus opened this issue Jan 25, 2022 · 4 comments
Labels
needs triage

Comments

@albgus
Copy link

albgus commented Jan 25, 2022

Description

When provisioning self_managed_node_groups with this module, multiple security groups using this module two security groups ends up being created with the kubernetes.io/cluster/${var.cluster_name} tag. This is a problem for at least the AWS Load Balancer Controller which fails to update some of the Target groups, logging this message:

{"level":"error","ts":1643107355.1327415,"logger":"controller-runtime.manager.controller.targetGroupBinding","msg":"Reconciler error","reconciler group":"elbv2.k8s.aws","reconciler kind":"TargetGroupBinding","name":"k8s-monitor-promethe-e1f79f04c5","namespace":"monitor","error":"expect exactly one securityGroup tagged with kubernetes.io/cluster/dev for eni eni-0b6ed10e3b4d8b5c1, got: [sg-0b21ca401c50b3bad sg-0d450bf11239af6a2]"}

The security groups causing the issues seems to be these:

terraform-aws-eks/modules/self-managed-node-group/main.tf

Line 452 in 16f46db

resource "aws_security_group" "this" {

terraform-aws-eks/node_groups.tf

Line 148 in 16f46db

resource "aws_security_group" "node" {

Versions

on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.72.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.7.1
+ provider registry.terraform.io/hashicorp/tls v3.1.0
  • Module: 18.2.1

Reproduction

Steps to reproduce the behaviour:

  • Create a cluster with this module, using default values and containing at least one self_managed_node_group

Possible workaround:

  • Disable creation of either the node_group or shared node group security groups through module variables and create a separate security group outside this module.
@bryantbiggs
Copy link
Member

related #1774

@albgus
Copy link
Author

albgus commented Jan 25, 2022

As a workaround adding this parameter to the module seems to do the trick:

node_security_group_tags = {
  "kubernetes.io/cluster/${var.name}" = null
}

However seeing the suggestion in that PR perhaps it's better to add it to the self_managed_node_group_defaults. security_group_tags.

@bryantbiggs
Copy link
Member

closed with #1774

@blakepettersson blakepettersson mentioned this issue Apr 4, 2022
Closed
1 task
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@albgus @bryantbiggs