search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.47k stars 4.08k forks source link

Question regarding security group added default to EKS cluster via vpc_config #3021

Closed deasydoesit closed 6 months ago

deasydoesit commented 6 months ago

I'm hoping to better understand the rationale behind the security group created and applied to the EKS cluster via this module by default.

As shown below, by default, the create_cluster_security_group variable is set to true: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/afadb14e44d1cdbd852dbae815be377c4034e82a/variables.tf#L269-L273

This causes a security group to be created: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/afadb14e44d1cdbd852dbae815be377c4034e82a/main.tf#L257-L293

And ultimately provided to the vpc_config via thesecurity_group_ids attribute as local.cluster_security_group_id: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/afadb14e44d1cdbd852dbae815be377c4034e82a/main.tf#L46-L52

In the created EKS cluster, this security group is listed as under Additional security groups.

However, by default, AWS EKS creates another security group listed under Cluster security group. Per AWS documentation:

Amazon EKS automatically associates this security group to the following resources that it also creates:

2–4 elastic network interfaces (referred to for the rest of this document as network interface) that are created when you create your cluster.

Network interfaces of the nodes in any managed node group that you create.

The default rules allow all traffic to flow freely between your cluster and nodes, and allows all outbound traffic to any destination.

While the documentation goes on to state "[w]hen you create a cluster, you can (optionally) specify your own security groups. If you do, then Amazon EKS also associates the security groups that you specify to the network interfaces that it creates for your cluster. However, it doesn't associate them to any node groups that you create," I'm having trouble understanding the purpose of the security group created and applied to the EKS cluster via this module by default.

bryantbiggs commented 6 months ago

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/network_connectivity.md#security-groups

deasydoesit commented 6 months ago

Thanks for the reference.

github-actions[bot] commented 5 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.