EKS created Cluster Security Group doesn't have tags mentioned in additionalTags of AWSManagedControlPlane #5223
Labels
kind/bug
Categorizes issue or PR as related to a bug.
needs-priority
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
/kind bug
What steps did you take and what happened:
The
spec
section ofAWSManagedControlPlane
allows us to provideadditionalTags
. These tags are then propagated to all the resources created by CAPA for EKS clusters like Cluster, Subnet, Security Group (node-eks-additional) etc. but it only pushes the tag to the additional security group for the cluster and not the primary security group used by the cluster.From this documentation:
https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
It is pretty evident that EKS creates a Cluster Security Group by itself and provides its own tags on it. (CAPA neither creates it and nor handles that security group)
Also, reading the CAPA code here:
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/pkg/cloud/services/eks/securitygroup.go
CAPA does indeed know that these security group roles (node & cluster) are created by EKS and updates the values in the status section of
AWSManagedControlPlane
.Even though the tags are propagated to the
node-eks-additional
security group which is created by CAPA itself, these tags are not propagated to Cluster Security Group.What did you expect to happen:
All of the tags mentioned in
additionalTags
section ofAWSManagedControlPlane
should be propagated to all the resources of EKS cluster including its default Cluster Security Group which is created by EKS only and not CAPA. CAPA has the code to fetch information from that security group. It should also apply the tags on default Cluster Security Group.This way even if a script is used which filters out resources of an EKS cluster using tags, it should also receive the default Cluster Security Group created by EKS.
Anything else you would like to add:
Many people have faced similar issue where they want this specific security group to also get tagged so that filtering out resources gives correct information: hashicorp/terraform-provider-aws#29919
Environment:
kubectl version
): All kubernetes versions/etc/os-release
): LinuxThe text was updated successfully, but these errors were encountered: