如何向 EKS 集群添加额外的安全组？

Question

我使用terraform-aws-eks提供 EKS 集群。 在“terraform apply”之后配置了两个安全组。 它们是“集群安全组”和“附加安全组”。 我启动了一个 EC2 实例。 我想从那个 EC2 访问 EKS。 为此，我需要将 EC2 安全组添加到“其他安全组”中。 以下是我的代码。 两个问题。

1. 从我的代码中，我不知道“其他安全组”是如何创建的。
2. 我在 terraform 代码中添加了“cluster_security_group_additional_rules”。 我没有找到我在“terraform apply”之后添加的安全组。 好像没有创建。 在 AWS 控制台，如果我手动将 EC2 安全组添加到“其他安全组”，它就会起作用。 如何使用 Terraform 代码做到这一点？

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "18.30.1"

  cluster_name    = var.cluster_name
  cluster_version = var.cluster_version
  create_kms_key  = true
  kms_key_description = "KMS Secrets encryption for EKS Cluster"
  kms_key_enable_default_policy   = true

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  vpc_id                          = var.vpc_id
  subnet_ids                      = var.subnet_ids

  cluster_enabled_log_types       = var.cluster_enabled_log_types

  manage_aws_auth_configmap       = var.manage_aws_auth_configmap
  aws_auth_roles                  = var.aws_auth_roles
  aws_auth_users                  = var.aws_auth_users
  aws_auth_accounts               = var.aws_auth_accounts

  #Required for Karpenter role below
  enable_irsa                     = true

  create_cloudwatch_log_group            = var.create_cloudwatch_log_group
  cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days

  node_security_group_additional_rules = {
    ingress_nodes_karpenter_port = {
      description                   = "Cluster API to Node group for Karpenter webhook"
      protocol                      = "tcp"
      from_port                     = 8443
      to_port                       = 8443
      type                          = "ingress"
      source_cluster_security_group = true
    }
  }

  # Extend cluster security group rules
  cluster_security_group_additional_rules = {
    inress_ec2_tcp = {
      description                = "Access EKS from EC2 instance."
      protocol                   = "tcp"
      from_port                  = 443
      to_port                    = 443
      type                       = "ingress"
      security_groups            = [var.ec2_sg_id]
      source_cluster_security_group = true
    }
  }

  node_security_group_tags = {
    # NOTE - if creating multiple security groups with this module, only tag the
    # security group that Karpenter should utilize with the following tag
    # (i.e. - at most, only one security group should have this tag in your account)
    "karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
  }

  # Need two nodes to get Karpenter up and running.
  # This ensures core services such as VPC CNI, CoreDNS, etc. are up and running
  # so that Karpenter can be deployed and start managing compute capacity as required
  eks_managed_node_groups = {
    "${var.cluster_name}" = {
      capacity_type  = "ON_DEMAND"

      instance_types = ["m5.large"]
      # Not required nor used - avoid tagging two security groups with same tag as well
      create_security_group = false

      # Ensure enough capacity to run 2 Karpenter pods
      min_size     = 2
      max_size     = 3
      desired_size = 2

      iam_role_additional_policies = [
        "arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", # Required by Karpenter
        "arn:${local.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
        "arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
        "arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", #for access to ECR images
        "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
      ]

      labels = {
        AL2Nodes = "monitor"
      }
      tags = {
        # This will tag the launch template created for use by Karpenter
        "karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
      }
    }
  }
}

Answer 1

您可以使用选项cluster_additional_security_group_ids = []添加额外的 SG

例如。 -> cluster_additional_security_group_ids = [aws_security_group.additional_sg_whatever.id]

来源： https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs.network_connectivity.md

这是您可以创建自己的 SG 的方法：

resource "aws_security_group" "additional_sg_whatever" {
  name        = "additional_sg_whatever"
  description = "additional_sg_whatever"
  vpc_id      = 

  ingress {
    description      = "http access"
    from_port        = 
    to_port          = 
    protocol         = 
    cidr_blocks      = 
  }

  ingress {
    description      = "https access"
    from_port        = 
    to_port          = 
    protocol         = 
    cidr_blocks      = 
  }

  egress {
    from_port        = 
    to_port          = 
    protocol         = 
    cidr_blocks      = 
  }

  tags   = {
    Name = 
  }
}