[Bug] eksctl removed the "allow all" outbound rule of the control plane security group #6455
Description
What were you trying to accomplish?
Don't remove the default "allow all" outbound rule of the control plane security group.
What happened?
When I use eksctl to create a self-managed node group, it will add two SecurityGroupEgress rules to the control plane security group, and in the mean time remove the “allow all” outbound rule. If my EKS cluster was not created by eksctl and has only one security group, this will become an issue.
How to reproduce it?
- Create an EKS cluster from AWS console or AWS CLI without providing a security group;
- Create a self-managed node group by eksctl;
Logs
The cloud formation of the self-managed node group will update the SecurityGroupEgress of the control plane security.
"Resources": {
"EgressInterCluster": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"Description": "Allow control plane to communicate with worker nodes in group umng (kubelet and workload TCP ports)",
"DestinationSecurityGroupId": {
"Ref": "SG"
},
"FromPort": 1025,
"GroupId": "sg-xxxxxxxxxxxxxxxx",
"IpProtocol": "tcp",
"ToPort": 65535
}
},
"EgressInterClusterAPI": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"Description": "Allow control plane to communicate with worker nodes in group umng (workloads using HTTPS port, commonly used with extension API servers)",
"DestinationSecurityGroupId": {
"Ref": "SG"
},
"FromPort": 443,
"GroupId": "sg-xxxxxxxxxxxxxxxx",
"IpProtocol": "tcp",
"ToPort": 443
}
},
But it turns out that it will remove the default "allow all" outbound rule when updating the security group.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAZDBM2GWNROF7KU5BW:i-0053c1026xxxxxxxx",
"arn": "arn:aws:sts::xxxxxxxx:assumed-role/AdminAccessForEC2/i-0053c1026xxxxxxxx",
"accountId": "xxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAZDBM2GWNRxxxxxxxx",
"arn": "arn:aws:iam::xxxxxxxx:role/AdminAccessForEC2",
"accountId": "xxxxxxxx",
"userName": "AdminAccessForEC2"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-23T10:26:50Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0"
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2023-03-23T11:12:50Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RevokeSecurityGroupEgress",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"requestParameters": {
"groupId": "sg-0dce1a0c7xxxxxxxx",
"ipPermissions": {
"items": [
{
"ipProtocol": "-1",
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
},
"responseElements": {
"requestId": "32fb32c7-2843-42d1-954e-b3b8b0df3846",
"_return": true
},
"requestID": "32fb32c7-2843-42d1-954e-b3b8b0df3846",
"eventID": "2493d4ec-9b04-4a6c-96ad-b9c0caf955f5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "xxxxxxxx",
"eventCategory": "Management"
}
Anything else we need to know?
Versions
$ eksctl info
eksctl version: 0.133.0
kubectl version: v1.24.0
OS: linux