π additionalControlPlaneIngressRules are ignored for AWSManagedControlPlaneΒ #5806
Description
It looks like additionalControlPlaneIngressRules do not work for AWSManagedControlPlane.
When this field is specified, the additional Security Group is created, but the ingress rules are not actually provisioned.
Steps to reproduce:
- Define
additionalControlPlaneIngressRulesinAWSManagedControlPlanewith sourceSecurityGroupRules:
protocol: tcp
fromPort: 10250
toPort: 10250
sourceSecurityGroupRoles:
- node-eks-additional
- Observe the results.
Security group created, but didn't provisioned.
From what I can see, processIngressRulesSGs() is not called for managed control plane flows:
As a result, even though the SG exists, it remains empty.
Additionally, I noticed that a dedicated role (node-eks-additional) is introduced and is bound directly to AdditionalControlPlaneIngressRules:
This seems confusing from a user perspective.
What I would expect as a user:
additionalControlPlaneIngressRules should allow configuring security group rules applied to the managed control plane entrypoint (as far as this is technically feasible for EKS).
AWSManagedControlPlane should include the default node SG role, and some alternative for controlplane sg role (similar to self-managed clusters):
This would make it possible to expose NodePorts (and similar traffic) on worker nodes, while additionalNodeIngressRules would control extensions on the node SG instead of being tied to a separate node-eks-additional SG.
for now additionalNodeIngressRules is always ignored, even if provided with AWSManagedControlPlaneSpec (because sg role node not handled by default.
Please let me know if I misunderstood the intended behavior, or if there is a recommended alternative approach for configuring SG rules in managed control plane scenarios.
I can prepare PR, but first want to discuss that.
/kind bug