containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard
verified publisher icon aws

[EKS] [request]: EKS creates a default Security Group with outbound rules allowing all traffic

Open midestefanis opened this issue 4 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

When a new EKS cluster is created a default Security Group is created with it. This violates our company's internal security policies, and we are wondering if there is a way to simply attach an existing security group to newly created EKS resources instead.

Please note we are trying to create and manage all resources via Terraform.

The issue we are facing is described in more detail in the link below: https://github.com/hashicorp/terraform-provider-aws/issues/18856

I have tried using console and eksctl and the result is always the same. That default is always created.

The only thing that can be done is to edit the rules once the cluster is created. This is undesirable as it becomes impossible to automate.

What we want is to be able to create the security group when we create the cluster and use ours.

Only the addition of an additional SG is supported but it is not what we want.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? The problem without this flexibility is that we cannot automate the creation of the cluster through terraform and with our security policies.

If the creation of the cluster requires manual steps after creating it, it is absolutely unmanageable for a large organization.

Are you currently working around this issue? Manually removing the rule that allows all outgoing traffic and adding the rules with our security policies.

Additional context I have opened a AWS support case and was suggested to open a GitHub issue for this feature request.

midestefanis avatar Apr 28 '21 13:04 midestefanis

For now, this sample Revoke EKS Cluster Security Group Egress Rule can help if is undesirable to do this manually every time. The egress rule is revoked when the cluster endpoint becomes available. I tested this in us-east-1 and can work for an account/region combination. You will need to add your egress rules to your nodes separately. This does not solve the OP's need, "to create the security group when we create the cluster and use ours", but it may reduce the administrative pain of removing it manually every time. Hope this helps.

blayzestefaniak avatar Nov 20 '21 14:11 blayzestefaniak

Any update on this issue?

bnr242003 avatar Sep 22 '22 15:09 bnr242003

+1, just wanted to add to this that for us the problem is with the security group as a whole. We also want to manage the ingress rules and there the workaround with the sample rule doesn't work.

pvbouwel avatar Feb 24 '23 12:02 pvbouwel

We also want to manage the ingress rules and there the workaround with the sample rule doesn't work.

Deezpa avatar Dec 09 '24 09:12 Deezpa

I have been advised to also add my voice to this issue. The security group must be freely manageable, with no extra steps. Furthermore, the defaults are not compliant with many companies' rules and regulations.

Essque avatar Oct 24 '25 14:10 Essque