[Bug] vpc.securityGroup validation issue while creating nodegroup #7176
Description
What were you trying to accomplish?
- Correctly validates default AWS security egress rule for both IPv4 and IPv6.
- An option to allow using restricted cluster outbound rules to fulfill EKS cluster which has to meet some security policies/requirements.
Rule type | Protocol | Port | Destination
-- | -- | -- | --
Outbound | TCP | 443 | Cluster security group
Outbound | TCP | 10250 | Cluster security group
Outbound (DNS) | TCP and UDP | 53 | Cluster security group
What happened?
After eksctl version 0.157.0, security group rule seems to be validated to have default IPv4 egress rule with All Traffic and 0.0.0.0/0. Since a security group created in AWS default has IPv6 and IPv4 egress rule for ::/0 and 0.0.0.0/0 , we experienced the following error:
❯ eksctl create nodegroup -f Nodegroup.yaml --dry-run
Error: vpc.securityGroup (sg-009c6a55c3937abcd) has egress rules that were not attached by eksctl; vpc.securityGroup should not contain any non-default external egress rules on a cluster not created by eksctl (rule ID: sgr-02524e9e33210abcd)
Where the egress rules
sg-009c6a55c3937abcd - Outbound rules (2)
---------------------------------------------------------
– sgr-02524e9e33210abcd IPv6 All traffic All All ::/0 –
– sgr-043a6fe0e104aabcd IPv4 All traffic All All 0.0.0.0/0 –
How to reproduce it?
Use a security group with default AWS egress rule as following in vpc.securityGroup to create nodegroup.
sg-009c6a55c3937abcd - Outbound rules (2)
---------------------------------------------------------
– sgr-02524e9e33210abcd IPv6 All traffic All All ::/0 –
– sgr-043a6fe0e104aabcd IPv4 All traffic All All 0.0.0.0/0 –
Nodegroup.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: LAB-EKS-28
region: ap-northeast-1
version: "1.28"
vpc:
id: "vpc-eaabcdef"
cidr: "172.31.0.0/16"
securityGroup: "sg-009c6a55c3937abcd" ## Additional SG
subnets:
public:
public1:
id: "subnet-12abcdef"
az: ap-northeast-1c
public2:
id: "subnet-a7abcdef"
az: ap-northeast-1a
private:
private1:
id: "subnet-00b83dc8b30abcdef"
az: ap-northeast-1c
private2:
id: "subnet-0dd2b34ddd1abcdef"
az: ap-northeast-1a
managedNodeGroups:
- name: TEST-28
instanceType: c6a.large
desiredCapacity: 2
minSize: 0
maxSize: 10
securityGroups:
withLocal: false
ssh:
allow: true
publicKeyName: Testing
Logs
Anything else we need to know?
Versions
❯ eksctl version
0.161.0