karpenter-provider-aws icon indicating copy to clipboard operation
karpenter-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon aws

feat: Support VPC ID filtering in security group selectors

Open moko-poi opened this issue 1 week ago • 2 comments

Description

Adds support for filtering security groups by VPC ID in securityGroupSelectorTerms, enabling users to disambiguate security groups with identical names across different VPCs.

Fixes #8175

Motivation

When multiple VPCs exist in a single AWS account with security groups sharing the same name, Karpenter currently selects all matching security groups regardless of VPC. This causes the following error when launching nodes:

InvalidParameter: Security group <SECURITY_GROUP_ID> and subnet <SUBNET_ID> belong to different networks.

This is a common scenario in:

  • Multi-tenant environments with VPC-per-customer architecture
  • Development/staging/production environments using separate VPCs
  • Multi-region deployments with similar naming conventions

Changes

  • API: Add optional vpcID field to SecurityGroupSelectorTerm with pattern validation (vpc-[0-9a-z]+)
  • Provider: Update getFilterSets() to support VPC filtering for ID, Name, and Tag-based selectors
  • Tests: Add comprehensive unit and integration tests for VPC filtering
  • CRD: Auto-generated CRD updates with new vpcID field
  • Example: Add security-group-with-vpc.yaml demonstrating usage

Usage Example

apiVersion: karpenter.k8s.aws/v1
kind: EC2NodeClass
metadata:
  name: default
spec:
  securityGroupSelectorTerms:
    # Select security group by name within specific VPC
    - name: k8s-node
      vpcID: vpc-12345678
    # Also works with tags
    - tags:
        Environment: production
      vpcID: vpc-12345678
  # ...

Backward Compatibility

✅ Fully backward compatible - vpcID is optional and existing configurations continue to work unchanged.

Testing

  • [x] Unit tests for getFilterSets() with VPC filtering
  • [x] Validation tests for vpcID field patterns
  • [x] Integration tests for controller reconciliation with VPC filters
  • [x] All existing tests pass

Checklist

  • [x] Added/updated tests
  • [x] Updated CRDs
  • [x] Added example YAML
  • [x] Backward compatible

moko-poi avatar Nov 22 '25 14:11 moko-poi

Deploy Preview for karpenter-docs-prod canceled.

Name Link
Latest commit 1973b4063a0e960c37ff502d2614b7efd647bff5
Latest deploy log https://app.netlify.com/projects/karpenter-docs-prod/deploys/6921cf60ce55400008d63e82

netlify[bot] avatar Nov 22 '25 14:11 netlify[bot]

@AndrewMitchell25 Hi! Just wanted to gently follow up on this PR. Would appreciate any feedback when you have a chance. Thanks!

moko-poi avatar Nov 28 '25 03:11 moko-poi