Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(eks): KubectlProvider creates un-necessary security group for the provider function #12952

Closed
pkwarren opened this issue Feb 9, 2021 · 4 comments · Fixed by #13178
Closed

(eks): KubectlProvider creates un-necessary security group for the provider function #12952

pkwarren opened this issue Feb 9, 2021 · 4 comments · Fixed by #13178
Assignees
@iliapolo
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@pkwarren
Copy link

pkwarren commented Feb 9, 2021

The fix for #10200 updated the custom-resources provider to pass along the vpc and vpcSubnets ProviderProps. It however isn't passing down any configured security groups, which causes a new security group to be created for the lambdas.

It would help to reduce unnecessary security groups created by CDK if we could configure the security group for these lambdas or re-use cluster.kubectlSecurityGroup (if set).

Reference:

aws-cdk/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts

Lines 107 to 108 in e21a1d9

vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined,
vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,

aws-cdk/packages/@aws-cdk/aws-lambda/lib/function.ts

Lines 862 to 867 in e21a1d9

const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
vpc: props.vpc,
description: 'Automatic security group for Lambda Function ' + Names.uniqueId(this),
allowAllOutbound: props.allowAllOutbound,
});
securityGroups = [securityGroup];

Reproduction Steps

Import a k8s cluster with fromClusterAttributes (with a configured vpc) and call addServiceAccount. In the nested stack, you'll see a security group created for the custom-resources lambdas:

{
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Automatic security group for Lambda Function ...",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ]
    }
}

What did you expect to happen?

The custom-resources lambdas to be configured using the same security group as specified by cluster.kubectlSecurityGroup.

What actually happened?

A new security group is created for each CDK stack which creates a k8s service account.

Environment

  • CDK CLI Version : 1.87.1
  • Framework Version: 1.87.1
  • Node.js Version: 14.15.4
  • OS : Linux/Mac
  • Language (Version): all

This is 🐛 Bug Report
@pkwarren pkwarren added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 9, 2021
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Feb 9, 2021
@iliapolo
Copy link
Contributor

@pkwarren You mention in the title this happens when upgrading from 1.77.0 - But this has always been the behavior.

I'll classify this as a feature request, but feel free to let me know if you think i'm missing something.

@iliapolo iliapolo changed the title (eks): Updating from 1.77.0 to 1.87.1 creates custom-resources lambdas in a new security group (eks): reuse cluster.kubectlSecurityGroup group in the KubectlProvider functions Feb 11, 2021
@iliapolo iliapolo added effort/small Small work item – less than a day of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2021
@pkwarren
Copy link
Author

When I look through the history the behavior changed starting in 1.80.0 of aws-cdk. We encountered the issue when updating from 1.77.0 to 1.87.1 and have since rolled back (we prohibit creation of new security groups by the CDK pipeline).

@iliapolo
Copy link
Contributor

@pkwarren You're right, the lambda function now creates the security group only because a VPC is passed to it. Which was changed in the PR you referenced.

Thanks for reporting this 👍

@iliapolo iliapolo added p1 and removed p2 labels Feb 14, 2021
@iliapolo iliapolo changed the title (eks): reuse cluster.kubectlSecurityGroup group in the KubectlProvider functions (eks): KubectlProvider creates un-necessary security group for the provider function Feb 21, 2021
@iliapolo iliapolo mentioned this issue Feb 21, 2021
Merged
@iliapolo iliapolo added the in-progress This issue is being actively worked on. label Feb 21, 2021
@mergify mergify bot closed this as completed in #13178 Feb 21, 2021
mergify bot pushed a commit that referenced this issue Feb 21, 2021
@iliapolo
fix(eks): KubectlProvider creates un-necessary security group (#13178)
c5e8b6d 
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. 

This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. 

Fixes #12952

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@iliapolo iliapolo removed the in-progress This issue is being actively worked on. label Feb 21, 2021
eladb pushed a commit that referenced this issue Feb 22, 2021
@iliapolo
fix(eks): KubectlProvider creates un-necessary security group (#13178)
d14b479 
Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. 

This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. 

Fixes #12952

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iliapolo iliapolo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(eks): KubectlProvider creates un-necessary security group aws/aws-cdk
2 participants
@pkwarren @iliapolo