Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(eks): attach cluster security group to self-managed nodes #12042

Merged
merged 10 commits into from
Dec 15, 2020
Merged

feat(eks): attach cluster security group to self-managed nodes #12042

merged 10 commits into from
Dec 15, 2020

Conversation

iliapolo
Copy link
Contributor

@iliapolo iliapolo commented Dec 12, 2020
edited
Loading

Attaching the EKS managed cluster security group to self managed nodes to allow free traffic flow between managed and self-managed nodes.

Closes #10884

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Dec 12, 2020
edited
Loading

@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Dec 12, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 12, 2020
@mergify
Copy link
Contributor

mergify bot commented Dec 12, 2020

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

@iliapolo iliapolo marked this pull request as ready for review December 12, 2020 20:20
@iliapolo iliapolo requested a review from eladb December 12, 2020 20:20
eladb
eladb reviewed Dec 14, 2020
View reviewed changes
packages/@aws-cdk/aws-eks/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-eks/README.md Outdated Show resolved Hide resolved
@mergify
Copy link
Contributor

mergify bot commented Dec 15, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 384d887
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Dec 15, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 1078bea into master Dec 15, 2020
@mergify mergify bot deleted the epolon/self-managed-cluster-sg branch December 15, 2020 15:54
@iliapolo iliapolo mentioned this pull request Dec 30, 2020
Merged
mergify bot pushed a commit that referenced this pull request Dec 31, 2020
@iliapolo
fix(eks): Self managed nodes cannot be added to LoadBalancers created…
470a881 
… via the `LoadBalancer` service type (#12269)

Following this [PR](#12042), self managed nodes are now attached with the cluster security group. This causes the self managed nodes to have multiple security groups with the "owned" tag. This in turn causes load balancers to reject these instances since its unable to determine which security groups should be added with ingress rules to allow the load balancer to connect to the instances.

The fix is to exclude tagging the dedicated ASG security group with this tag, it is no longer necessary since the cluster security group has that tag by default. 

Fixes #12166

This breaksge is unfortunate, but I can't see a way out of it. And it does actually fix a bug.

BREAKING CHANGE: Existing self managed nodes may loose the ability to host additional services of type `LoadBalancer` . See #12269 (comment) for possible mitigations.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
flochaz pushed a commit to flochaz/aws-cdk that referenced this pull request Jan 5, 2021
@iliapolo @flochaz
feat(eks): attach cluster security group to self-managed nodes (aws#1…
e5a7c1a 
…2042)

Attaching the EKS managed cluster security group to self managed nodes to allow free traffic flow between managed and self-managed nodes.

Closes aws#10884

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
flochaz pushed a commit to flochaz/aws-cdk that referenced this pull request Jan 5, 2021
@iliapolo @flochaz
fix(eks): Self managed nodes cannot be added to LoadBalancers created…
4b7e863 
… via the `LoadBalancer` service type (aws#12269)

Following this [PR](aws#12042), self managed nodes are now attached with the cluster security group. This causes the self managed nodes to have multiple security groups with the "owned" tag. This in turn causes load balancers to reject these instances since its unable to determine which security groups should be added with ingress rules to allow the load balancer to connect to the instances.

The fix is to exclude tagging the dedicated ASG security group with this tag, it is no longer necessary since the cluster security group has that tag by default. 

Fixes aws#12166

This breaksge is unfortunate, but I can't see a way out of it. And it does actually fix a bug.

BREAKING CHANGE: Existing self managed nodes may loose the ability to host additional services of type `LoadBalancer` . See aws#12269 (comment) for possible mitigations.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

Assignees

@iliapolo iliapolo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
3 participants
@iliapolo @aws-cdk-automation @eladb