UNPKG

@pulumi/eks

Version:

[![Build Status](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml/badge.svg)](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml) [![Slack](http://www.pulumi.com/images/docs/badges/slack.svg)](https://slack.pulumi.com) [![n

pulumi.com

pulumi/pulumi-eks

89 lines 3.85 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.createNodeGroupSecurityGroup = exports.createManagedNodeGroup = void 0; const pulumi = require("@pulumi/pulumi"); const aws = require("@pulumi/aws"); const managedNodeGroup_1 = require("./managedNodeGroup"); /** * Create an AWS managed node group. * * See for more details: * https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html */ function createManagedNodeGroup(name, args, parent, provider) { const cluster = parent ? parent : args.cluster.eksCluster.urn; return new managedNodeGroup_1.ManagedNodeGroup(name, args, { provider, transforms: [ (targs) => { return { props: targs.props, opts: Object.assign(Object.assign({}, targs.opts), { aliases: [{ parent: cluster }] }), }; } ], }); } exports.createManagedNodeGroup = createManagedNodeGroup; /** * createNodeGroupSecurityGroup creates a security group for node groups with the * default ingress & egress rules required to connect and work with the EKS * cluster security group. */ function createNodeGroupSecurityGroup(name, args, parent, provider) { const eksCluster = pulumi.output(args.eksCluster); const clusterSecurityGroup = pulumi.output(args.clusterSecurityGroup); const nodeSecurityGroup = new aws.ec2.SecurityGroup(`${name}-nodeSecurityGroup`, { vpcId: args.vpcId, revokeRulesOnDelete: true, tags: pulumi.all([args.tags, eksCluster.name]).apply(([tags, clusterName]) => (Object.assign({ Name: `${name}-nodeSecurityGroup`, [`kubernetes.io/cluster/${clusterName}`]: "owned" }, tags))), }, { parent, provider }); new aws.ec2.SecurityGroupRule(`${name}-eksNodeIngressRule`, { description: "Allow nodes to communicate with each other", type: "ingress", fromPort: 0, toPort: 0, protocol: "-1", securityGroupId: nodeSecurityGroup.id, self: true, }, { parent, provider }); new aws.ec2.SecurityGroupRule(`${name}-eksNodeClusterIngressRule`, { description: "Allow worker Kubelets and pods to receive communication from the cluster control plane", type: "ingress", fromPort: 1025, toPort: 65535, protocol: "tcp", securityGroupId: nodeSecurityGroup.id, sourceSecurityGroupId: clusterSecurityGroup.id, }, { parent, provider }); new aws.ec2.SecurityGroupRule(`${name}-eksExtApiServerClusterIngressRule`, { description: "Allow pods running extension API servers on port 443 to receive communication from cluster control plane", type: "ingress", fromPort: 443, toPort: 443, protocol: "tcp", securityGroupId: nodeSecurityGroup.id, sourceSecurityGroupId: clusterSecurityGroup.id, }, { parent, provider }); const nodeInternetEgressRule = new aws.ec2.SecurityGroupRule(`${name}-eksNodeInternetEgressRule`, { description: "Allow internet access.", type: "egress", fromPort: 0, toPort: 0, protocol: "-1", cidrBlocks: ["0.0.0.0/0"], securityGroupId: nodeSecurityGroup.id, }, { parent, provider }); const eksClusterIngressRule = new aws.ec2.SecurityGroupRule(`${name}-eksClusterIngressRule`, { description: "Allow pods to communicate with the cluster API Server", type: "ingress", fromPort: 443, toPort: 443, protocol: "tcp", securityGroupId: clusterSecurityGroup.id, sourceSecurityGroupId: nodeSecurityGroup.id, }, { parent, provider }); return [nodeSecurityGroup, eksClusterIngressRule]; } exports.createNodeGroupSecurityGroup = createNodeGroupSecurityGroup; //# sourceMappingURL=nodegroupMixins.js.map