An example showing how to attach additional security groups to the worker pools, VPE and load balancers:
- A custom security group, named
custom-cluster-sg, is specified at cluster creation. This security group is attached to all worker nodes of the cluster, including the worker nodes created after the creation of the cluster. - A second custom security group, named
custom-worker-pool-sg, is specified for one of thecustom-sgworker pools. This security group is not applied to other worker pools. - Three custom security groups, named
custom-master-vpe-sg,custom-registry-vpe-sg, andcustom-kube-api-vpe-sg, are attached to the three VPEs created by the ROKS-stack: the master VPE, the container registry VPE, and the kubernetes API VPE. This is in addition to the IBM-managed security groups that are still attached to those resources. - One custom security group, named
custom-lb-sg, is attached to the LB created out-of-the-box by the IBM stack.
Furthermore, the default IBM-managed kube-<clusterId> security group is linked to all worker nodes of the cluster by utilizing the attach_ibm_managed_security_group input variable. It is important to note that, in this configuration, the default VPC security group is not connected to any worker node.
See Adding VPC security groups to clusters and worker pools during create time for further details.