Is there any documentation for making bottlerocket work without the internet access to the instances security group ?
soura49 opened this issue · 1 comments
soura49 commented
Discussed in #3953
Originally posted by soura49 May 13, 2024
- We are using Bottlerocket AMI for EKS-managed Node groups
- Right Now, We have Egress for Internet open from Node Security Group
- But when we Remove that it fails to join the cluster and load the kernel modules etc.
- Is there a list of Internet Calls that Bottlerocket AMI does for starting up?
larvacea commented
The discussion in #3953 summarized:
- @jpculp responded with the list of endpoints that Bottlerocket requires: ECR, EKS, IMDS, and SSM.
- These were not sufficient to unblock @soura49, but adding an endpoint for STS was sufficient. STS is required for IAM roles for service accounts.
Thanks to @soura49 for the report: the answer is no, it's not documented, or at least not documented clearly enough, and we should fix that. Also thanks to @soura49 for so clearly identifying the STS issue, finding documentation, and reporting back once the problem was solved.