[英]How to add additional security groups to EKS cluster?
我使用terraform-aws-eks提供 EKS 集群。 在“terraform apply”之后配置了两个安全组。 它们是“集群安全组”和“附加安全组”。 我启动了一个 EC2 实例。 我想从那个 EC2 访问 EKS。 为此,我需要将 EC2 安全组添加到“其他安全组”中。 以下是我的代码。 两个问题。
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.30.1"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
create_kms_key = true
kms_key_description = "KMS Secrets encryption for EKS Cluster"
kms_key_enable_default_policy = true
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
cluster_enabled_log_types = var.cluster_enabled_log_types
manage_aws_auth_configmap = var.manage_aws_auth_configmap
aws_auth_roles = var.aws_auth_roles
aws_auth_users = var.aws_auth_users
aws_auth_accounts = var.aws_auth_accounts
#Required for Karpenter role below
enable_irsa = true
create_cloudwatch_log_group = var.create_cloudwatch_log_group
cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
node_security_group_additional_rules = {
ingress_nodes_karpenter_port = {
description = "Cluster API to Node group for Karpenter webhook"
protocol = "tcp"
from_port = 8443
to_port = 8443
type = "ingress"
source_cluster_security_group = true
}
}
# Extend cluster security group rules
cluster_security_group_additional_rules = {
inress_ec2_tcp = {
description = "Access EKS from EC2 instance."
protocol = "tcp"
from_port = 443
to_port = 443
type = "ingress"
security_groups = [var.ec2_sg_id]
source_cluster_security_group = true
}
}
node_security_group_tags = {
# NOTE - if creating multiple security groups with this module, only tag the
# security group that Karpenter should utilize with the following tag
# (i.e. - at most, only one security group should have this tag in your account)
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
# Need two nodes to get Karpenter up and running.
# This ensures core services such as VPC CNI, CoreDNS, etc. are up and running
# so that Karpenter can be deployed and start managing compute capacity as required
eks_managed_node_groups = {
"${var.cluster_name}" = {
capacity_type = "ON_DEMAND"
instance_types = ["m5.large"]
# Not required nor used - avoid tagging two security groups with same tag as well
create_security_group = false
# Ensure enough capacity to run 2 Karpenter pods
min_size = 2
max_size = 3
desired_size = 2
iam_role_additional_policies = [
"arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", # Required by Karpenter
"arn:${local.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", #for access to ECR images
"arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
]
labels = {
AL2Nodes = "monitor"
}
tags = {
# This will tag the launch template created for use by Karpenter
"karpenter.sh/discovery/${var.cluster_name}" = var.cluster_name
}
}
}
}
您可以使用选项cluster_additional_security_group_ids = []
添加额外的 SG
例如。 -> cluster_additional_security_group_ids = [aws_security_group.additional_sg_whatever.id]
来源: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs.network_connectivity.md
这是您可以创建自己的 SG 的方法:
resource "aws_security_group" "additional_sg_whatever" {
name = "additional_sg_whatever"
description = "additional_sg_whatever"
vpc_id =
ingress {
description = "http access"
from_port =
to_port =
protocol =
cidr_blocks =
}
ingress {
description = "https access"
from_port =
to_port =
protocol =
cidr_blocks =
}
egress {
from_port =
to_port =
protocol =
cidr_blocks =
}
tags = {
Name =
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.