Merge pull request #10545 from zalando-incubator/support-legacy-efs

allow EKS worker to connect to legacy EFS

Author: linki

cluster/cluster.yaml

@@ -1099,6 +1099,16 @@ Resources:
       SourceSecurityGroupId: !Ref WorkerSecurityGroup
       ToPort: 2049
     Type: 'AWS::EC2::SecurityGroupIngress'
+{{- if eq .Cluster.ConfigItems.efs_allow_vpc_connection "true" }}
+  EFSSecurityGroupIngressFromVPCCIDR:
+    Properties:
+      FromPort: 2049
+      GroupId: !Ref EFSWorkerSecurityGroup
+      IpProtocol: tcp
+      CidrIp: "{{.Values.vpc_ipv4_cidr}}"
+      ToPort: 2049
+    Type: 'AWS::EC2::SecurityGroupIngress'
+{{- end }}
   EFSWorkerSecurityGroup:
     Properties:
       GroupDescription: worker to EFS sg

cluster/config-defaults.yaml

@@ -1339,6 +1339,9 @@ wiz_node_feature_rollout : "false"
 # Enable runtime sensor response capabilities such as KILL
 wiz_enable_runtime_sensor_response_capabilities: "false"
 
+# Configure legacy EFS connectivity from the entire VPC. This allows EKS clusters to connect to the legacy EFS file system.
+efs_allow_vpc_connection: "false"
+
 # EKS specific configuration
 eks_control_plane_logging: "true"
 eks_ip_family: "ipv4"