Skip to content

Commit

Permalink
chore: Update FAQ for security group tagging (#2695)
Browse files Browse the repository at this point in the history 
* Add aws_eks_addons.before_compute to the cluster_addons output

* update FAQ docs for custom networking

* Rephrasing

---------

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
@code-eg @bryantbiggs
code-eg and bryantbiggs authored Aug 3, 2023
1 parent de14031 commit d4e6c15
Showing 1 changed file with 3 additions and 21 deletions.
24 changes: 3 additions & 21 deletions docs/faq.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,34 +24,16 @@ By default, EKS creates a cluster primary security group that is created outside
attach_cluster_primary_security_group = true # default is false
```

2. If you want to use the cluster primary security group, you can disable the tag passed to the node security group by overriding the tag expected value like:

```hcl
attach_cluster_primary_security_group = true # default is false
node_security_group_tags = {
"kubernetes.io/cluster/<CLUSTER_NAME>" = null # or any other value other than "owned"
}
```

3. By overriding the tag expected value on the cluster primary security group like:

```hcl
attach_cluster_primary_security_group = true # default is false
cluster_tags = {
"kubernetes.io/cluster/<CLUSTER_NAME>" = null # or any other value other than "owned"
}
```

4. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload.
2. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload.

```hcl
attach_cluster_primary_security_group = false # this is the default for the module
```

In theory, if you are attaching the cluster primary security group, you shouldn't need to use the shared node security group created by the module. However, this is left up to users to decide for their requirements and use case.

If you choose to use [Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html), make sure to only attach the security groups matching your choice above in your ENIConfig resources. This will ensure you avoid redundant tags.

### Why are nodes not being registered?

Nodes not being able to register with the EKS control plane is generally due to networking mis-configurations.
Expand Down

0 comments on commit d4e6c15

Please sign in to comment.