SUSE Support

Here When You Need Us

Security Group behaviour in Rancher-provisioned EKS clusters

This document (000021299) is provided subject to the disclaimer at the end of this document.

Environment

- Rancher v2.6.7+
- Rancher-provisioned EKS clusters
, with user-specified AWS Security Group configuration

Situation

- Provision an EKS cluster from Rancher, adding additional user-specified AWS Security Groups to the cluster configuration

Resolution

The following is applied to the AWS Security Group configuration when provisioning an EKS cluster from Rancher.

1. If a user-specified Security Group is not set in the EKS cluster configuration within Rancher:
- The default Security Group is applied at the cluster level
- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration
- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

2. If a user-specified Security Group is set in the EKS cluster configuration within Rancher:
- The default Security Group and the user-specified Security Group are applied at the cluster level
- The default Security Group is applied to nodes in nodegroups without a Launch Template containing a Security Group configuration
- On any nodes in nodegroups with a Launch Template containing a Security Group configuration, the default Security Group is replaced by the Security Group configuration from the Launch Template

As a result of a bug, in Rancher v2.6.4 - v2.6.6, if any user-specified Security Groups were applied to the cluster, only these user-specified groups were applied to nodegroups without a Launch Template containing a Security Group configuration, potentially breaking communication between nodes and the cluster controlplane, as detailed in https://github.com/rancher/rancher/issues/38014. Any user on an affected version should upgrade to a later Rancher release.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021299
  • Creation Date: 20-Dec-2023
  • Modified Date:25-Jan-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.