Hi, when an EKS cluster is created, it automatically creates a security group for the cluster that is overpermissive, allowing egress to 0.0.0.0/0. I want to lock it down and I know how to do so, but how do I get rid of that security group rule using plain Pulumi? Or is this impossible and I need to resort to using an external library, like boto? Thank you

You can specify your own security group when creating the cluster, ~which I believe takes the place of the default security group that's created otherwise~: https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#clustersecuritygroupid_nodejs It has to meet the requirements described here.

And if you do allow the default group to be created, you can write code to delete it, but yes it would have to use an AWS client SDK like boto.

@modern-zebra-45309 No, the security group that you can specify is an additional security group and has no effect on the default security group creation.

Ah ok. So if you do write that code, you will have to remember to put it inside an

apply()

block, since the normal top-level part of the code runs before the cluster is created.

I think I'll just use

command.local.Command

with Python as the interpreter, it's probably cleaner that way. Thanks! Just another reason to dislike EKS...

There's nothing wrong with allowing egress to 0.0.0.0/0 from networking and security perspective.

Everyone's use-case is different. Disallowing internet access is very important in some cases, such as simulating a truly air-gapped environment, or when compliance requires no upgrades from remote repositories.

There is absolutely something wrong with allowing egress to 0.0.0.0/0 from networking and security perspective. It means I have no control where the services are sending data to, which in an enterprise scenario is most likely against company policies.

True, but ingress is where you have a control. It is close to impossible to have fine grained egress rules.

I've had no trouble with that in the past. When you have complete control over the one and only app within an SG, you know 100% what ports it needs and to where.