EC2 controller - no way of managing default security group in VPC #1896
Comments
|
Some more clues. I can't create a default security group from code directly. It won't work as controller throws error: Also there is no direct way to adopt this sg. If I try to apply manifest like: apiVersion: services.k8s.aws/v1alpha1
kind: AdoptedResource
metadata:
name: adopt-my-existing-bucket
namespace: infra-dev
spec:
aws:
nameOrID: default
kubernetes:
group: ec2.services.k8s.aws
kind: SecurityGroup
metadata:
name: default
namespace: infra-devThe EC2 controllers gives me in status: But I can't retrieve the Group ID directly from VPC description... status:
ackResourceMetadata:
ownerAccountID: '178394743802'
region: eu-west-2
cidrBlockAssociationSet:
- associationID: vpc-cidr-assoc-0f97c3c42baf28acf
cidrBlock: 10.10.0.0/16
cidrBlockState:
state: associated
conditions:
- lastTransitionTime: '2023-09-14T01:42:47Z'
message: Resource synced successfully
reason: ''
status: 'True'
type: ACK.ResourceSynced
dhcpOptionsID: dopt-b0cbf6d8
isDefault: false
ownerID: '178394743802'
state: available
vpcID: vpc-0017152cc2d43a69aand there is no security group id, but it could be logical to add it there. |
|
O.K. so I can retrieve the security group name from Amazon Console and substitute it in YAML: apiVersion: services.k8s.aws/v1alpha1
kind: AdoptedResource
metadata:
name: default-security-group
namespace: infra-dev
spec:
aws:
nameOrID: sg-0e87e0dd9f6d43f31
kubernetes:
group: ec2.services.k8s.aws
kind: SecurityGroup
metadata:
name: default
namespace: infra-devand then I am getting the cryptic error message like: status:
conditions:
- message: >-
SecurityGroup.ec2.services.k8s.aws "default" is invalid: spec.name:
Required value
status: 'False'
type: ACK.Adoptedand in EC2 controller logs No idea what does it mean. |
gecube
changed the title
gecube
changed the title
a-hilaly
added
service/ec2
|
@gecube Can you try settings Regarding the default security group created with the VPC, maybe we could consider deleting it right after a VPC creation. I wish there was a way to create a subnet-less-vpc in https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpc.html |
|
@a-hilaly Hi! The same: spec:
aws:
nameOrID: sg-0e87e0dd9f6d43f31
kubernetes:
group: ec2.services.k8s.aws
kind: SecurityGroup
metadata:
name: default-2
namespace: infra-dev
status:
conditions:
- message: >-
SecurityGroup.ec2.services.k8s.aws "default-2" is invalid: spec.name:
Required value
status: 'False'
type: ACK.Adoptedlogs: |
|
Any update on this? We are facing the same issue. Thanks! |
|
Issues go stale after 180d of inactivity. |
ack-prow
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
ack-prow
bot
removed
the
lifecycle/stale
|
Issues go stale after 180d of inactivity. |
ack-prow
bot
added
the
lifecycle/stale
a-hilaly
removed
the
lifecycle/stale
|
@gecube Good day! i think now you can request a deletion of the default securitygroup rules with aws-controllers-k8s/ec2-controller#212 |
|
Issues go stale after 180d of inactivity. |
ack-prow
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
ack-prow
bot
removed
the
lifecycle/stale
Good day!
I am playing around with EC2 controller and found that basic creation of VPC with the manifest like
leads to creation default security group.
Unfortunately, this security group has allow all rules for inbound and outbound connections and fails security check:
If I create additional security groups, they are created well.
I'd like to have nice and clean way of managing this "default" security group in terms of EC2 controller objects. Probably - the adoption pattern won't be very good here, as an operator of ACK I want to create all relevant objects and configure them in one go. I am kindly asking to give suggestion and options how to achieve the desired state.
The text was updated successfully, but these errors were encountered: