How to add additional security groups to EKS cluster?
Question
I use terraform-aws-eks provision EKS cluster. Two security groups provisioned after "terraform apply". They are "Cluster security group" and "Additional security groups". I launched an EC2 instance. I would like to access EKS from that EC2. To do that, I need to add EC2 security group into "Additional security groups". As follows are my code. Two questions.
- From my code, I have no idea how "Additional security groups" got created.
- I added the "cluster_security_group_additional_rules" in my terraform code. I did not find the security group I added after "terraform apply". Seems like it is not created. At AWS console, it works if I manually added the EC2 security group into "Additional security groups". How to do it using Terraform code?
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.30.1"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
create_kms_key = true
kms_key_description = "KMS Secrets encryption for EKS Cluster"
kms_key_enable_default_policy = true
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
cluster_enabled_log_types = var.cluster_enabled_log_types
manage_aws_auth_configmap = var.manage_aws_auth_configmap
aws_auth_roles = var.aws_auth_roles
aws_auth_users = var.aws_auth_users
aws_auth_accounts = var.aws_auth_accounts
#Required for Karpenter role below
enable_irsa = true
create_cloudwatch_log_group = var.create_cloudwatch_log_group
cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
node_security_group_additional_rules = {
ingress_nodes_karpenter_port = {
description = "Cluster API to Node group for Karpenter webhook"
protocol = "tcp"
from_port = 8443
to_port = 8443
type = "ingress"
source_cluster_security_group = true
}
}
# Extend cluster security group rules
cluster_security_group_additional_rules = {
inress_ec2_tcp = {
description = "Access EKS from EC2 instance."
protocol = "tcp"
from_port = 443
to_port = 443
type = "ingress"
security_groups = [var.ec2_sg_id]
source_cluster_security_group = true
}
}
node_security_group_tags = {
# NOTE - if creating multiple security groups with this module, only tag the
# security group that Karpenter should utilize with the following tag
# (i.e. - at most, only one security group should have this tag in your account)
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
# Need two nodes to get Karpenter up and running.
# This ensures core services such as VPC CNI, CoreDNS, etc. are up and running
# so that Karpenter can be deployed and start managing compute capacity as required
eks_managed_node_groups = {
"${var.cluster_name}" = {
capacity_type = "ON_DEMAND"
instance_types = ["m5.large"]
# Not required nor used - avoid tagging two security groups with same tag as well
create_security_group = false
# Ensure enough capacity to run 2 Karpenter pods
min_size = 2
max_size = 3
desired_size = 2
iam_role_additional_policies = [
"arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", # Required by Karpenter
"arn:${local.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", #for access to ECR images
"arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
]
labels = {
AL2Nodes = "monitor"
}
tags = {
# This will tag the launch template created for use by Karpenter
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
}
}
}
1 answers
solution1
0 2023-02-02 12:26:56
You can add additional SG with option cluster_additional_security_group_ids = []
EG. -> cluster_additional_security_group_ids = [aws_security_group.additional_sg_whatever.id]
Source: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs.network_connectivity.md
This is how you can create your own SG:
resource "aws_security_group" "additional_sg_whatever" {
name = "additional_sg_whatever"
description = "additional_sg_whatever"
vpc_id =
ingress {
description = "http access"
from_port =
to_port =
protocol =
cidr_blocks =
}
ingress {
description = "https access"
from_port =
to_port =
protocol =
cidr_blocks =
}
egress {
from_port =
to_port =
protocol =
cidr_blocks =
}
tags = {
Name =
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Additional security group in EKS managed node group
How to use the same IAM role for two node groups in an EKS cluster in Terraform?
How to access eks cluster from local machine
How to enable Secrets encryption on EKS cluster?
How to give access to Federrated Users to EKS cluster
PV & PVC with EKS Cluster
EKS: Error syncing load balancer: failed to ensure load balancer: Multiple tagged security groups found for instance
AWS eks has node groups without nodegroups - how?
How do I create an EKS cluster with nodes via CDK?
How to use iam role when creating aws eks cluster with terraform?
Related Tags