Security Group behaviour in Rancher-provisioned EKS clusters

Article Number: 000021299

Environment

- Rancher v2.6.7+
- Rancher-provisioned EKS clusters with user-specified AWS Security Group configuration

Situation

- Provision an EKS cluster from Rancher, adding additional user-specified AWS Security Groups to the cluster configuration

Resolution

The following is applied to the AWS Security Group configuration when provisioning an EKS cluster from Rancher.

1. If a user-specified Security Group is not set in the EKS cluster configuration within Rancher:
- The default Security Group is applied at the cluster level
- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration
- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

2. If a user-specified Security Group is set in the EKS cluster configuration within Rancher:
- The default Security Group and the user-specified Security Group are applied at the cluster level
- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration
- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

As a result of a bug, in Rancher v2.6.4 - v2.6.6, if any user-specified Security Groups were applied to the cluster, only these user-specified groups were applied to nodegroups without a Launch Template containing a Security Group configuration, potentially breaking communication between nodes and the cluster controlplane, as detailed in https://github.com/rancher/rancher/issues/38014. Any user on an affected version should upgrade to a later Rancher release.