Addition of existing Security groups to EKS cluster

[Murali-Cloudbridge]

We have modified the stacks according to our requirements to launch worker nodes in private subnets and include boot nodes. Now, we are facing issues in the boot node accessing the EKS cluster API endpoint. We have fixed this by manually adding the security group to EKS by allowing the entire VPC CIDR or allowing the IP of the boot node alone. We need to add this security group within eksctl commands, as shown below.

We tried adding below values

clusterSecurityGroup="sg-1234567". but failed with the ssm association. attachIDs: ['sg-05c1f719382ab9279', 'sg-03305b8b8df813ede']

Resources: BootNodeProfile: Type: AWS::IAM::InstanceProfile Properties: Roles:

• !Ref RoleName Path: / BootNode: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: Required:
• StackPropertiesFile StackPropertiesFile: commands: 01_create_opt_ibm: command: mkdir -p /opt/ibm test: test ! -d /opt/ibm files: /opt/ibm/cluster.yaml: mode: '000755' owner: root group: root content: !Sub
• | apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ${ClusterName} region: ${AWS::Region} vpc: subnets: private: ${AZ1}: { id: ${PrivateSubnet1ID} } ${AZ2}: { id: ${PrivateSubnet2ID} } ${AZ3}: { id: ${PrivateSubnet3ID} } clusterEndpoints: publicAccess: true privateAccess: true managedNodeGroups:
• name: ng-1-workers instanceType: m5.large desiredCapacity: 3 privateNetworking: true
• AZ1: !Ref AvailabilityZone1 AZ2: !Ref AvailabilityZone2 AZ3: !Ref AvailabilityZone3 PrivateSubnet1ID: !Ref PrivateSubnet1ID PrivateSubnet2ID: !Ref PrivateSubnet2ID PrivateSubnet3ID: !Ref PrivateSubnet3ID ClusterName: !Ref EKSClusterName

Thanks, Murali

[Murali-Cloudbridge]

Hi Team,

We tried by adding as shown below, but it still failed.

existing config.yaml

apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ekspvt-nlb-mq-clu-r9 region: eu-west-2 vpc: subnets: private: eu-west-2a: { id: subnet-0aa46e504e1a7aebc } eu-west-2b: { id: subnet-0a4916537d048318b } eu-west-2c: { id: subnet-02009dcfd8edc779c } clusterEndpoints: publicAccess: true privateAccess: true managedNodeGroups:

• name: ng-1-workers instanceType: m5.large desiredCapacity: 3 privateNetworking: true

new config.yaml with new security group changes

apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: ekspvt-nlb-mq-clu-r9 region: eu-west-2 vpc: subnets: private: eu-west-2a: { id: subnet-0aa46e504e1a7aebc } eu-west-2b: { id: subnet-0a4916537d048318b } eu-west-2c: { id: subnet-02009dcfd8edc779c } clusterEndpoints: publicAccess: true privateAccess: true managedNodeGroups:

• name: ng-1-workers instanceType: m5.large desiredCapacity: 3 privateNetworking: true securityGroups:
  • public: inboundRules:
    • type: All traffic protocol: All portRange: All source: 192.168.0.0/16 description: All trafic from VPC

We also followed the below link, but we need help.

https://github.com/eksctl-io/eksctl/issues/735

Thanks, Murali