Comments (4)
lbogdan
commented on June 27, 2024
The proposed API for 1. would be to add
additionalNodeSecurityGroupRules: pulumi.Input<{
egress?: pulumi.Input<pulumi.Input<{
cidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
description?: pulumi.Input<string>;
fromPort: pulumi.Input<number>;
ipv6CidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
prefixListIds?: pulumi.Input<pulumi.Input<string>[]>;
protocol: pulumi.Input<string>;
securityGroups?: pulumi.Input<pulumi.Input<string>[]>;
self?: pulumi.Input<boolean>;
toPort: pulumi.Input<number>;
}>[]>,
ingress?: pulumi.Input<pulumi.Input<{
cidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
description?: pulumi.Input<string>;
fromPort: pulumi.Input<number>;
ipv6CidrBlocks?: pulumi.Input<pulumi.Input<string>[]>;
prefixListIds?: pulumi.Input<pulumi.Input<string>[]>;
protocol: pulumi.Input<string>;
securityGroups?: pulumi.Input<pulumi.Input<string>[]>;
self?: pulumi.Input<boolean>;
toPort: pulumi.Input<number>;
}>[]>
}>;rules that will be simply merged with the default rules in createNodeGroupSecurityGroup(https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/securitygroup.ts#L35).
Although I'd prefer 2., which is more flexible (for example, you can't replace the default egress default "allow all" with something more specific by using 1.), I would propose something like
nodeSecurityGroupTransform?: (pulumi.Input<aws.ec2.SecurityGroup>) => pulumi.Input<aws.ec2.SecurityGroup>;which can either mutate the provided security group, or return a new one.
@lukehoban @metral What do you think?
from pulumi-eks.
metral
commented on June 27, 2024
I'm thinking option 1 is the best path forward here as it makes expectations clear about the user brings and what the cluster requires.
@lukehoban thoughts?
from pulumi-eks.
d-nishi
commented on June 27, 2024
agree that option 1 is better because a) the alb ingress group implementation relies on the EKS node-security group; and b) nodes allow for multiple security groups;
When implementing this the logic 1 thing to consider is that the ALB/ELB/NLB in k8s will use the default security group on the node with the clustertag. If a new SG with the same clustertag is found then an error will be logged, so we need to factor that in when implementing option 1.
from pulumi-eks.
metral
commented on June 27, 2024
Closing in favor of #275
from pulumi-eks.
Related Issues (20)
- ManagedNodeGroup should be able to specify an AMI ID override
- Workflow failure: cron HOT 1
- Workflow failure: master HOT 1
- Unable to specify `nodeRootVolumeIops` and `nodeRootVolumeThroughput` in node group resources
- Upgrade tests are broken after release v2.5.0
- Keep pulumi-aws reference up-to-date with automation
- `instanceRole` still created when `skipDefaultNodeGroup` is enabled. HOT 1
- eks.ManagedNodeGroup with amiType: 'AL2023_ARM_64_STANDARD' breaks when kubeletExtraArgs specified HOT 5
- Upgrade tests fails whenever there is a new recommended AMI ID
- Generate Node SDK using the standard codegen tooling HOT 3
- Enforce linting rules in CI
- Workflow failure: master
- Workflow failure: master
- VPC CNI creation does not respect the `proxy` config or `HTTP_PROXY` environment variable HOT 1
- eks.ManagedNodeGroup: launchTemplate is ignored HOT 2
- clusterSecurityGroupTags applied to Additional security group. Must assign to Acutal cluster security group. HOT 3
- Support AL2023 & Bottlerocket for managed node groups
- Cannot create `ManagedNodeGroup` for cluster with `API` authentication mode
- Allow users to set KMS key when encrypting node block devices HOT 2
- Workflow failure: cron HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pulumi-eks.