From d4e6c153ad50359d896797a89f0f50fff96a636e Mon Sep 17 00:00:00 2001 From: Cody Grant Date: Thu, 3 Aug 2023 19:16:57 -0400 Subject: [PATCH] chore: Update FAQ for security group tagging (#2695) * Add aws_eks_addons.before_compute to the cluster_addons output * update FAQ docs for custom networking * Rephrasing --------- Co-authored-by: Bryant Biggs --- docs/faq.md | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 215cdb2..3ca85e8 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -24,27 +24,7 @@ By default, EKS creates a cluster primary security group that is created outside attach_cluster_primary_security_group = true # default is false ``` -2. If you want to use the cluster primary security group, you can disable the tag passed to the node security group by overriding the tag expected value like: - -```hcl - attach_cluster_primary_security_group = true # default is false - - node_security_group_tags = { - "kubernetes.io/cluster/" = null # or any other value other than "owned" - } -``` - -3. By overriding the tag expected value on the cluster primary security group like: - -```hcl - attach_cluster_primary_security_group = true # default is false - - cluster_tags = { - "kubernetes.io/cluster/" = null # or any other value other than "owned" - } -``` - -4. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload. +2. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload. ```hcl attach_cluster_primary_security_group = false # this is the default for the module @@ -52,6 +32,8 @@ By default, EKS creates a cluster primary security group that is created outside In theory, if you are attaching the cluster primary security group, you shouldn't need to use the shared node security group created by the module. However, this is left up to users to decide for their requirements and use case. +If you choose to use [Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html), make sure to only attach the security groups matching your choice above in your ENIConfig resources. This will ensure you avoid redundant tags. + ### Why are nodes not being registered? Nodes not being able to register with the EKS control plane is generally due to networking mis-configurations.