pulumi-eks icon indicating copy to clipboard operation
pulumi-eks copied to clipboard

Published 20 hours ago verified publisher icon pulumi

ManagedNodeGroupOptions doesn't allow SecurityGroup configuration

Open nimakaviani opened this issue 4 years ago • 9 comments

Problem description

Looking at the code for creating managed node groups, it looks like the arguments for ManagedNodeGroupOptions are derived from NodeGroupArgs here which doesn't allow for configuring SecurityGroups on ManagedNodeGroups or on aws.eks.NodeGroup. is this intentional?

For managed NodeGroups I think it will be helpful to be able to define custom security groups.

Also the behavior seems to be different for eks.NodeGroups since through NodeGroupBaseOptions the security group on the respective nodes can be configured.

nimakaviani avatar Apr 11 '20 03:04 nimakaviani

For managed NodeGroups I think it will be helpful to be able to define custom security groups.

Thanks for opening the issue, Nima. EKS Managed Node Groups do not currently support setting security groups.

There is an issue tracking this for EKS in the AWS container roadmap: https://github.com/aws/containers-roadmap/issues/609.

Here is more details from AWS:

  • https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html
  • https://docs.aws.amazon.com/eks/latest/userguide/create-managed-node-group.html
  • https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Also the behavior seems to be different for eks.NodeGroups since through NodeGroupBaseOptions the security group on the respective nodes can be configured.

eks.NodeGroup are self-managed nodegroups, which means that they are configured using a CloudFormation Stack with an autoscaling group -- lending themselves to more configuration options compared to an AWS Managed node group.

Here is more details on the differences between managed node groups and self-managed node groups:

metral avatar Apr 13 '20 16:04 metral

Thanks @metral for the reply. I was thrown off by sourceSecurityGroupIds for remote access. I will keep an eye on the open issue on aws that you pointed to.

nimakaviani avatar Apr 13 '20 18:04 nimakaviani

Hello @metral ,

The referenced dependency issue has been completed a while ago on EKS. Any chance to get this done? Or is there another workaround? (I need to attach custom SGs to nodes to allow private ECR endpoint image pulling..

tonymkhael avatar May 13 '22 08:05 tonymkhael

https://github.com/aws/containers-roadmap/issues/609 have done, can we support now?

better0332 avatar Aug 05 '22 16:08 better0332

This is a blocking feature for a bunch of stuff. Will this be added?

TapTap21 avatar Aug 18 '22 10:08 TapTap21

This is a requirement for Karpenter as it requires to setup additional ingress roles. Is there any plan or workaround for this?

milliondreams avatar Nov 20 '22 20:11 milliondreams

Hi - Any updates about this feature?

s-martinelli avatar May 18 '23 15:05 s-martinelli

@metral @lukehoban Any updates on this?

bradyburke avatar Aug 28 '23 19:08 bradyburke