Attach cluster security group to Self-managed Nodes #24737

Zhenye-Na · 2023-03-22T01:10:18Z

Zhenye-Na
Mar 22, 2023

Tracking issue: #10884

In the above issue, I saw this code snippet that utilized CDK. I am wondering how does CDK generate CFN template (?) that attached the Cluster securityGroup to EKS Self-managed Nodes

const cluster = new eks.Cluster(...)
const selfManagedGroup = cluster.addAutoScalingGroupCapacity(...)

selfManagedGroup.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, 'SharedSecurityGroup', cluster.clusterSecurityGroupId))

I am wondering what rule does this SharedSecurityGroup contain ?

Also I am wondering from CDK point of view, how does CDK retrieve the clusterSecurityGroup in CFN and use its value ?

Answered by peterwoodworth

Mar 31, 2023

I am wondering what rule does this SharedSecurityGroup contain ?

This is being imported, so it could have any valid security group rule.

how does CDK retrieve the clusterSecurityGroup in CFN and use its value

The CDK isn't actually making any lookups - importing the security group is just a way to be able to pass data around. addSecurityGroup requires an ISecurityGroup, so either you need to create a new L2 SecurityGroup, or import one. When importing a SecurityGroup and passing it to addSecurityGroup, it will simply take the arn that it built based off the securityGroupId provided and specify it somewhere in the template. See more info here on importing resources, and let me know if …

View full answer

peterwoodworth · 2023-03-31T00:42:47Z

peterwoodworth
Mar 31, 2023

I am wondering what rule does this SharedSecurityGroup contain ?

This is being imported, so it could have any valid security group rule.

how does CDK retrieve the clusterSecurityGroup in CFN and use its value

The CDK isn't actually making any lookups - importing the security group is just a way to be able to pass data around. addSecurityGroup requires an ISecurityGroup, so either you need to create a new L2 SecurityGroup, or import one. When importing a SecurityGroup and passing it to addSecurityGroup, it will simply take the arn that it built based off the securityGroupId provided and specify it somewhere in the template. See more info here on importing resources, and let me know if you have any other questions

0 replies

pahud · 2023-04-05T03:08:16Z

pahud
Apr 5, 2023
Maintainer

selfManagedGroup.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, 'SharedSecurityGroup', cluster.clusterSecurityGroupId))

If you look at the eks.Cluster source code, when you create the cluster, you get the clusterSecurityGroupId which is an attribute of the cluster resource returned from CFN. And when you ec2.SecurityGroup.fromSecurityGroupId() you literally create a resource reference to that securityId for the addSecurityGroup() method.

1 reply

Zhenye-Na Apr 5, 2023
Author

wow, the return value of CFN is something I was never aware of. Thanks for this good pointer.

now it seems like we are able to create new SecurityGroupIngressRule directly attached to this clusterSecurityGroupId

2023-12-02T00:23:52Z

github-actions[bot]
bot Dec 2, 2023

Hello! Reopening this discussion to make it searchable.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Attach cluster security group to Self-managed Nodes #24737

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Attach cluster security group to Self-managed Nodes #24737

Uh oh!

Zhenye-Na Mar 22, 2023

Replies: 3 comments · 1 reply

Uh oh!

peterwoodworth Mar 31, 2023

Uh oh!

pahud Apr 5, 2023 Maintainer

Uh oh!

Zhenye-Na Apr 5, 2023 Author

Uh oh!

github-actions[bot] bot Dec 2, 2023

Zhenye-Na
Mar 22, 2023

Replies: 3 comments 1 reply

peterwoodworth
Mar 31, 2023

pahud
Apr 5, 2023
Maintainer

Zhenye-Na Apr 5, 2023
Author

github-actions[bot]
bot Dec 2, 2023