search

pulumi / pulumi-eks

A Pulumi component for easily creating and managing an Amazon EKS Cluster
https://www.pulumi.com/registry/packages/eks/
Apache License 2.0
171 stars 82 forks source link

ManagedNodeGroupOptions doesn't allow SecurityGroup configuration #371

Open nimakaviani opened 4 years ago

nimakaviani commented 4 years ago

Problem description

Looking at the code for creating managed node groups, it looks like the arguments for ManagedNodeGroupOptions are derived from NodeGroupArgs here which doesn't allow for configuring SecurityGroups on ManagedNodeGroups or on aws.eks.NodeGroup. is this intentional?

For managed NodeGroups I think it will be helpful to be able to define custom security groups.

Also the behavior seems to be different for eks.NodeGroups since through NodeGroupBaseOptions the security group on the respective nodes can be configured.

metral commented 4 years ago

For managed NodeGroups I think it will be helpful to be able to define custom security groups.

Thanks for opening the issue, Nima. EKS Managed Node Groups do not currently support setting security groups.

There is an issue tracking this for EKS in the AWS container roadmap: https://github.com/aws/containers-roadmap/issues/609.

Here is more details from AWS:

Also the behavior seems to be different for eks.NodeGroups since through NodeGroupBaseOptions the security group on the respective nodes can be configured.

eks.NodeGroup are self-managed nodegroups, which means that they are configured using a CloudFormation Stack with an autoscaling group -- lending themselves to more configuration options compared to an AWS Managed node group.

Here is more details on the differences between managed node groups and self-managed node groups:

nimakaviani commented 4 years ago

Thanks @metral for the reply. I was thrown off by sourceSecurityGroupIds for remote access. I will keep an eye on the open issue on aws that you pointed to.

tonymkhael commented 2 years ago

Hello @metral ,

The referenced dependency issue has been completed a while ago on EKS. Any chance to get this done? Or is there another workaround? (I need to attach custom SGs to nodes to allow private ECR endpoint image pulling..

better0332 commented 2 years ago

https://github.com/aws/containers-roadmap/issues/609 have done, can we support now?

TapTap21 commented 2 years ago

This is a blocking feature for a bunch of stuff. Will this be added?

milliondreams commented 2 years ago

This is a requirement for Karpenter as it requires to setup additional ingress roles. Is there any plan or workaround for this?

s-martinelli commented 1 year ago

Hi - Any updates about this feature?

bradyburke commented 1 year ago

@metral @lukehoban Any updates on this?

flostadler commented 5 months ago

You can set custom security groups via the launchTemplate parameter of the ManagedNodeGroup. This one allows you to set a custom launch template.

That being said, we already added a couple of parameters to modify the launch template (e.g. kubeletExtraArgs, bootstrapExtraArgs). I think adding one for security groups would be a good idea.