icon

sambaiz-net
github
places
board game arena
aws golang machinelearning kubernetes python etl gcp spark web linux ...

Setting security groups for node instances in an EKS cluster created with CDK

awskubernetes

securityGroup that can be passed when creating an aws_eks.Cluster is not associated with the node instances but with the control plane’s ENI.

There’s defaultCapacity field in Cluster, so I attempted to add a SG through it, but nothing happened. When an EKS cluster is created, if the DefaultCapacityType is NODEGROUP, which is the default, it creates a managed node group, which consists of defaultCapacity nodes, where operations such as drains are managed by EKS. As a matter of fact, defaultCapacity has value only when the DefaultCapacityType is EC2.

In the case of NODEGROUP, you can refer to defaultNodegroup instead, but unlike the AutoScalingGroup defaultCapacity, this is Nodegroup and it doesn’t have an interface like addSecurityGroup().

Despite the confusing name, clusterSecurityGroup is associated not only with the control plane but also with the ENIs of the nodes in the managed node groups, so you can configure the SG for nodes by editing this.

cluster.clusterSecurityGroup.addIngressRule(ec2.Peer.ipv4("xxx.xxx.xxx.xxx/32"), ec2.Port.allTcp())

Besides, there is a method to add an SG using your own AutoScalingGroup instead of a managed node group. You should be careful when adding an existing SG. If there are already settings that overlap with the automatically added settings, they will be deleted all together when the resource is deleted. For this reason, it would be better to create a new SG rather than reusing an existing one.

const cluster = new eks.Cluster(this, 'Cluster', {
  ...
  defaultCapacity: 0,
})

const securityGroup = new ec2.SecurityGroup(this, 'EKSClusterDefaultCapacitySecurityGroup', {
  vpc,
  allowAllOutbound: true,
})

const defaultCapacityAsg = cluster.addAutoScalingGroupCapacity('EKSClusterDefaultCapacity', {
  instanceType: new ec2.InstanceType('t3.small'),
  minCapacity:  2,
})

defaultCapacityAsg.addSecurityGroup(securityGroup)

However, in the case of your own ASG, you need to pass boostrap.sh parameters as needed in addition to drain, so I think it is better to use managed node group basically, but since the tags are not propagated to the ASG, so instances name is empty unless you specify launchTemplate.

IP address exhaustion with EKS cluster and migration to IPv6 - sambaiz-net