search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.47k stars 4.08k forks source link

Missing node to node security group #3121

Closed awakzdev closed 3 months ago

awakzdev commented 3 months ago

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

Is your request related to a problem? Please describe.

We encountered an issue when deploying the NGINX ingress controller across multiple node groups (infra and application). The application experienced slow load times and consistent 504 errors. This occurred because the default Terraform module for EKS lacked security group rules for node-to-node communication.

Describe the solution you'd like.

The Terraform module should include additional security group rules for node-to-node communication by default, ensuring that pods across different node groups can communicate effectively without manual configuration.

Describe alternatives you've considered.

Manually adding security group rules in the Terraform configuration resolved the issue, but having it as part of the default module would prevent similar issues for other users.

Additional context

The issue occurred specifically when deploying the NGINX ingress controller using an ingress of class nginx. The configuration fix involved adding the following rules:

node_security_group_additional_rules = {
  ingress_self_all = {
    description = "Node to node all ports/protocols"
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    type        = "ingress"
    self        = true
  }
  egress_all = {
    description      = "Node all egress"
    protocol         = "-1"
    from_port        = 0
    to_port          = 0
    type             = "egress"
    cidr_blocks      = ["0.0.0.0/0"]
  }
}

The fix for this issue was referenced in the following GitHub issue: kubernetes/ingress-nginx#9443. The discussion highlights the necessity of having proper security group rules for node-to-node communication in EKS clusters when using the NGINX ingress controller across different node groups.

github-actions[bot] commented 2 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.