https://pulumi.com logo
Powered by
#kubernetes
Title
# kubernetes
b

bitter-eve-53295

04/19/2022, 8:01 PM
Anyone out there using pulumi-eks for cluster + node management? I'm having a heck of a time: ā€¢ Using eks.NodeGroup, specifically the bit about the "cluster" argument (would love an example of how to use an eks.Cluster) ā€¢ Setting minimal security group ingress on management or worker nodes Would love some pointers or examples
p

polite-napkin-90098

04/19/2022, 8:31 PM
I am, although I'm still at the trying to get a cluster up and running stage.
šŸ‘ 1
I haven't used eks.NodeGroup yet but will probably do so shortly.
b

bitter-eve-53295

04/19/2022, 8:34 PM
I was able to get eks.Cluster working with an eks.ManagedNodeGroup, but that doesn't have input for security groups
p

polite-napkin-90098

04/19/2022, 8:34 PM
I have been adding rules to security groups to allow EFS access and some other things. I created the cluster first and then did this:
Copy code
// Need to be able to access the EFS (NFS) ports from the node sg and cluster sg
const nodeEFS = new aws.ec2.SecurityGroupRule("nodeEFS", {
	type: "ingress",
	fromPort: 2049,
	toPort: 2049,
	protocol: "tcp",
	securityGroupId: endp.ids[0],
	sourceSecurityGroupId: sg.id,
	description: `Allow the ${nam} k8s cluster access to the EFS drive in the endpoints sg`,
});
so sg.Id is the security group I used in the 
clusterSecurityGroup
in the new eks.Cluster
and 
endp.ids[0]
is the result of Looking up security groups tagged with 'endpoints' in the current vpc
Copy code
const clusterEFS = new aws.ec2.SecurityGroupRule("clusterEFS", {
	type: "ingress",
	fromPort: 2049,
	toPort: 2049,
	protocol: "tcp",
	securityGroupId: endp.ids[0],
	sourceSecurityGroupId: cluster.nodeSecurityGroup.id,
	description: `Allow the ${nam} k8s cluster access to the EFS drive in the endpoints sg`,
});
This is pretty much the same thing, but here cluster.nodeSecurityGroup.id is the id of the node security group created by the 
new eks.Cluster
hth
b

bitter-eve-53295

04/19/2022, 8:42 PM
Ahhh....filtering by endpoints in vpc though? What if you have multiple clusters?
p

polite-napkin-90098

04/19/2022, 8:42 PM
I don't šŸ˜œ
but you could use better tagging than I have
or if you use pulumi to create all the endpoints and endpoint security groups, you could also get the right sg with Stack References
but in my case the endpoint sg already exists (hand-crafted) so I just tagged it so I could find it with a bit of code like:
Copy code
const endp = pulumi.output(aws.ec2.getSecurityGroups({
        tags: { 
                Job: "Endpoints",
        },
        filters: [
                {
                        name: "vpc-id",
                        values: [vpcid],
                },
        ],
}));
šŸ‘ 1
b

brave-ambulance-98491

04/20/2022, 11:44 PM
I have multiple clusters with multiple `eks.NodeGroup`s in each, if you're still looking for pointers. It works pretty well, with some caveats around 
desiredCapacity
overriding what's set by the cluster autoscaler.
b

bitter-eve-53295

04/21/2022, 12:00 AM
That's awesome thanks! How are you setting the cluster argument of the 
eks.NodeGroup
?
b

brave-ambulance-98491

04/21/2022, 12:09 AM
Basically like:
Copy code
const clusterOutput = new eks.Cluster(...);
clusterOutput.apply((cluster) => {
  new eks.NodeGroup(
    "group-name",
    {
      cluster,
      ...
    });
});
Unwrap the 
pulumi.Output<eks.Cluster>
via the 
apply
method.
b

bitter-eve-53295

04/21/2022, 12:23 AM
Hmm, I was passing in cluster.core. I'll try this out, thanks!
šŸ‘šŸ» 1
9 Views
Powered by