Is there any documentation for making bottlerocket work without the internet access to the instances security group ?

[soura49]

Discussed in https://github.com/bottlerocket-os/bottlerocket/discussions/3953

^{Originally posted by **soura49** May 13, 2024} * We are using Bottlerocket AMI for EKS-managed Node groups * Right Now, We have Egress for Internet open from Node Security Group * But when we Remove that it fails to join the cluster and load the kernel modules etc. * Is there a list of Internet Calls that Bottlerocket AMI does for starting up?

[larvacea]

The discussion in #3953 summarized:

• @jpculp responded with the list of endpoints that Bottlerocket requires: ECR, EKS, IMDS, and SSM.
• These were not sufficient to unblock @soura49, but adding an endpoint for STS was sufficient. STS is required for IAM roles for service accounts.

Thanks to @soura49 for the report: the answer is no, it's not documented, or at least not documented clearly enough, and we should fix that. Also thanks to @soura49 for so clearly identifying the STS issue, finding documentation, and reporting back once the problem was solved.