Is there any documentation for making bottlerocket work without the internet access to the instances security group ?

Question

Is there any documentation for making bottlerocket work without the internet access to the instances security group ?

soura49 opened this issue 5 months ago · 1 comments

soura49 commented 5 months ago

Discussed in #3953

^{Originally posted by soura49 May 13, 2024}

We are using Bottlerocket AMI for EKS-managed Node groups
Right Now, We have Egress for Internet open from Node Security Group
But when we Remove that it fails to join the cluster and load the kernel modules etc.
Is there a list of Internet Calls that Bottlerocket AMI does for starting up?

Answer 1 · 2024-05-14T17:26:15.000Z

The discussion in #3953 summarized:

@jpculp responded with the list of endpoints that Bottlerocket requires: ECR, EKS, IMDS, and SSM.
These were not sufficient to unblock @soura49, but adding an endpoint for STS was sufficient. STS is required for IAM roles for service accounts.

Thanks to @soura49 for the report: the answer is no, it's not documented, or at least not documented clearly enough, and we should fix that. Also thanks to @soura49 for so clearly identifying the STS issue, finding documentation, and reporting back once the problem was solved.