I use terraform-aws-eks provision EKS cluster. Two security groups provisioned after "terraform apply". They are "Cluster security group" and "Additional security groups". I launched an EC2 instance. I would like to access EKS from that EC2. To do that, I need to add EC2 security group into "Additional security groups". As follows are my code. Two questions.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.30.1"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
create_kms_key = true
kms_key_description = "KMS Secrets encryption for EKS Cluster"
kms_key_enable_default_policy = true
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
cluster_enabled_log_types = var.cluster_enabled_log_types
manage_aws_auth_configmap = var.manage_aws_auth_configmap
aws_auth_roles = var.aws_auth_roles
aws_auth_users = var.aws_auth_users
aws_auth_accounts = var.aws_auth_accounts
#Required for Karpenter role below
enable_irsa = true
create_cloudwatch_log_group = var.create_cloudwatch_log_group
cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
node_security_group_additional_rules = {
ingress_nodes_karpenter_port = {
description = "Cluster API to Node group for Karpenter webhook"
protocol = "tcp"
from_port = 8443
to_port = 8443
type = "ingress"
source_cluster_security_group = true
}
}
# Extend cluster security group rules
cluster_security_group_additional_rules = {
inress_ec2_tcp = {
description = "Access EKS from EC2 instance."
protocol = "tcp"
from_port = 443
to_port = 443
type = "ingress"
security_groups = [var.ec2_sg_id]
source_cluster_security_group = true
}
}
node_security_group_tags = {
# NOTE - if creating multiple security groups with this module, only tag the
# security group that Karpenter should utilize with the following tag
# (i.e. - at most, only one security group should have this tag in your account)
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
# Need two nodes to get Karpenter up and running.
# This ensures core services such as VPC CNI, CoreDNS, etc. are up and running
# so that Karpenter can be deployed and start managing compute capacity as required
eks_managed_node_groups = {
"${var.cluster_name}" = {
capacity_type = "ON_DEMAND"
instance_types = ["m5.large"]
# Not required nor used - avoid tagging two security groups with same tag as well
create_security_group = false
# Ensure enough capacity to run 2 Karpenter pods
min_size = 2
max_size = 3
desired_size = 2
iam_role_additional_policies = [
"arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", # Required by Karpenter
"arn:${local.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", #for access to ECR images
"arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
]
labels = {
AL2Nodes = "monitor"
}
tags = {
# This will tag the launch template created for use by Karpenter
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
}
}
}
You can add additional SG with option cluster_additional_security_group_ids = []
EG. -> cluster_additional_security_group_ids = [aws_security_group.additional_sg_whatever.id]
Source: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs.network_connectivity.md
This is how you can create your own SG:
resource "aws_security_group" "additional_sg_whatever" {
name = "additional_sg_whatever"
description = "additional_sg_whatever"
vpc_id =
ingress {
description = "http access"
from_port =
to_port =
protocol =
cidr_blocks =
}
ingress {
description = "https access"
from_port =
to_port =
protocol =
cidr_blocks =
}
egress {
from_port =
to_port =
protocol =
cidr_blocks =
}
tags = {
Name =
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.