Skip to content

Security Group behaviour in Rancher-provisioned EKS clusters

This document (000021299) is provided subject to the disclaimer at the end of this document.

Environment

- Rancher v2.6.7+

- Rancher-provisioned EKS clusters, with user-specified AWS Security Group configuration

Situation

- Provision an EKS cluster from Rancher, adding additional user-specified AWS Security Groups to the cluster configuration

Resolution

The following is applied to the AWS Security Group configuration when provisioning an EKS cluster from Rancher.

1. If a user-specified Security Group is not set in the EKS cluster configuration within Rancher:

- The default Security Group is applied at the cluster level

- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration

- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

2. If a user-specified Security Group is set in the EKS cluster configuration within Rancher:

- The default Security Group and the user-specified Security Group are applied at the cluster level

- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration

- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

As a result of a bug, in Rancher v2.6.4 - v2.6.6, if any user-specified Security Groups were applied to the cluster, only these user-specified groups were applied to nodegroups without a Launch Template containing a Security Group configuration, potentially breaking communication between nodes and the cluster controlplane, as detailed in https://github.com/rancher/rancher/issues/38014. Any user on an affected version should upgrade to a later Rancher release.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.