Open faldanarh opened 5 months ago
I agree that we should not use the worker security group and should instead use a different security group. I don't know that I agree that you should use the default SG though, I'd like to create a purpose-built SG for this to ensure only the permissions that are necessary are applied. A PR for this would be welcome.
On the documentation Enabling the AWS EFS CSI Driver Operator on ROSA, it uses the SG from the worker nodes to set up the Inbound rule for the EFS Mount Target:
The correct would be to use the default SG created on the VPC which has no other rules, and is ready to be used. By default, when creating the EFS Filesystem, it selects the default SG from the VPC, we only need to change it later to add the NFS rule.
Here, at "Via the AWS CLI", step 3, I changed the way and here I mention to have the EFSID in hands for later to retrieve the MOUNTTARGET and SG:
The official documentation does not mention about the SG when creating the EFS filesystem, just to copy the SG ID to be used later.