https://pulumi.com logo
w

wide-judge-30323

09/06/2019, 3:48 AM
Hi šŸ™‚ I have an EKS cluster created with pulumi, with some services / helm charts applied, I'm seeing the follow weirdness: When a helm chart is applied fresh, it creates an ELB and adds its security group to the node security group, and all works as expected. On a subsequent pulumu run, it says it want to update the node security group, and removes the rule so that the ELB can no longer reach the cluster. This also happens with a
Service
created without helm. I've recently upgraded pulumi to 1.0 - This cluster has been running for some time, and updates have been ok till now - although we did experience a similar thing when pulumi updated the AMI for the EKS cluster. Has anyone else observed something similar?
w

white-balloon-205

09/06/2019, 3:53 AM
Can you share the exact diff you are seeing? Is this with
@pulumi/eks
?
w

wide-judge-30323

09/06/2019, 3:58 AM
Sure The diff looks like it's replacing the rules with the default rules:
Copy code
~ aws:ec2/securityGroup:SecurityGroup: (update)
            [id=sg-01290dc7456d80e3a]
            [urn=urn:pulumi:prod::insights-base::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::cluster-nodeSecurityGroup]
            description        : "Managed by Pulumi"
            egress             : [
                [0]: {
                    cidrBlocks : [
                        [0]: "0.0.0.0/0"
                    ]
                    description: "Allow internet access."
                    fromPort   : 0
                    protocol   : "-1"
                    self       : false
                    toPort     : 0
                }
            ]
            ingress            : [
                [0]: {
                    description: "Allow nodes to communicate with each other"
                    fromPort   : 0
                    protocol   : "-1"
                    self       : true
                    toPort     : 0
                }
                [1]: {
                    description   : "Allow worker Kubelets and pods to receive communication from the cluster control plane"
                    fromPort      : 1025
                    protocol      : "tcp"
                    securityGroups: [
                        [0]: "sg-02442ca8c9d39cd06"
                    ]
                    self          : false
                    toPort        : 65535
                }
                [2]: {
                    description   : "Allow pods running extension API servers on port 443 to receive communication from cluster control plane"
                    fromPort      : 443
                    protocol      : "tcp"
                    securityGroups: [
                        [0]: "sg-02442ca8c9d39cd06"
                    ]
                    self          : false
                    toPort        : 443
                }
            ]
            name               : "cluster-nodeSecurityGroup-bb73210"
            revokeRulesOnDelete: false
            tags               : {
                <http://kubernetes.io/cluster/cluster-eksCluster-50e3f63|kubernetes.io/cluster/cluster-eksCluster-50e3f63>: "owned"
            }
            vpcId              : "vpc-8194a0e8"
Yep - cluster created with pulumi/eks
w

white-balloon-205

09/06/2019, 4:19 AM
What version of
@pulumi/EKS
are you using? Versions since
0.18.3
have managed these rules independently from the security group. Also see https://github.com/pulumi/pulumi-eks/blob/master/CHANGELOG.md#0185-released-may-09-2019.
w

wide-judge-30323

09/06/2019, 4:20 AM
Even after a successful "pulumi up", running immediately again still says it want to update the group in the plan:
Copy code
ā”œā”€ eks:index:Cluster                         cluster                                               
 ~   ā”‚  ā””ā”€ aws:ec2:SecurityGroup                  cluster-nodeSecurityGroup                  update
w

white-balloon-205

09/06/2019, 4:30 AM
Two things: 1. What version of Pulumi-eks? 2. Are you doing refresh at all?
w

wide-judge-30323

09/06/2019, 4:46 AM
Thanks - looks like outdated pulumi-eks might be it - currently 0.17.4 - will try the upgrade steps you linked and see how it goes.
I had tried a refresh too, but results seemed the same. Anyway - will update versions šŸ™‚