[aws-eks] The controllplane securitygroup of the cluster should be accessible outside the eks cluster construct
See original GitHub issueUse Case
I am using custom networking with eks. For this, i have to allow access from the pod securitygroup to the controllplane securitygroup. Because i have to apply some manifests and patches too, i have to pass the eks cluster to my CustomNetworking cunstruct. Because i cannot access the securitygroup of the controllplane via the cluster construct, i have to create a new securitygroup for the controllplane (the same way the cluster construct would create it) and pass it to my CustomNetworking construct too.
Both steps, passing it separately and creating the securitygroup is unnecessary.
In addition: It is not possible to change se controllplane securitygroup after you created the cluster. So you have to recreate it to use your own securitygroup. Only because i want to add an ingress to the controllplane securitygroup.
Proposed Solution
change the following code
const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', {
vpc: this.vpc,
description: 'EKS Control Plane Security Group',
});
to
public abstract readonly controllPlaneSecurityGroup?: ec2.ISecurityGroup;
...
this.controllPlaneSecurityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', {
vpc: this.vpc,
description: 'EKS Control Plane Security Group',
});
...
resourcesVpcConfig: {
securityGroupIds: [this.controllPlaneSecurityGroup.securityGroupId],
subnetIds,
},
i think there are no more references
Other
I don’t think this will cause any problems and think i would be able to implement this
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:7 (6 by maintainers)
Top GitHub Comments
@markus7811 The
controlPlaneSecurityGroups
property will definitely be optional.Since we don’t want to introduce breaking changes, we will deprecate
securityGroup
and likely validate that only one ofcontrolPlaneSecurityGroups
orsecurityGroup
is used. For the same reason, I’m also leaning towards keeping the auto-creation in case none is specified.We will be finalizing this soon.
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.