Support for security groups for pods

[stpierre]

I have issues

I'm submitting a...

• bug report
• feature request
• support request - read the FAQ first!
• kudos, thank you, warm fuzzy

What is the current behavior?

Security groups for pods must be provisioned separately from this module.

TBH I'm not even sure how to do this with Terraform, which is why this is a feature request and not a PR. The main sticking point is step 3:

kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true

I.e., you have to modify the environment for an already-running DaemonSet that is not managed by Terraform, but is created automatically by AWS.

[max-rocket-internet]

This is way out of the scope of this module. You can read about why in #635 🙂

[stpierre]

Fair enough. Any thoughts about how this could be supported (i.e., in one of those smaller, composable modules discussed in #635)? Is local_exec (sadly) the way to go here?

[max-rocket-internet]

I don't think it's too complicated...

Is local_exec (sadly) the way to go here?

I don't think local_exec is ever the way to go 😅

I think most people are using Helm to manage resources inside the cluster, so looking at the AWS docs, this is how I would do it:

1. Do it in the aws-vpc-cni chart
2. Do it in TF, attach the policy to module.cluster_iam_role_arn
3. Do it in the aws-vpc-cni chart
4. In your application chart (or elsewhere)
5. In your application chart, add the SecurityGroupPolicy to the chart
6. This is just installing the chart

[stpierre]

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.