2

I can't access RDS through pods running in EKS on Fargate, but I can do so via pods running on EC2 because the security group was attached while creating the node group.

How can I do the same for Fargate?

Maurice
  • 11,482
  • 2
  • 25
  • 45
sap
  • 234
  • 5
  • 16

2 Answers2

1

From the docs: "Pods running on Fargate are automatically configured to use the cluster security group for the cluster that they are associated with.". That is, you can't assign a per pod SG (like you could do for pods running on EC2) however you can assign a SG (the same SG) to all your pods running on Fargate. Lots of customers want to have more granularity and we are working on that (you can track this feature here)

mreferre
  • 5,464
  • 3
  • 22
  • 29
1

This is available on v1.18 and above clusters, and you need to be running the latest EKS platform version for the corresponding Kubernetes minor version.

https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

One important note to keep in mind - Previously, every Fargate pod got assigned the EKS cluster security group, which ensured the Fargate pod could communicate with the Kubernetes control plane and join the cluster. With custom security groups, you are responsible for ensuring the correct security group rules are opened to enable this communication. The easiest way to accomplish this is to simply specify the cluster security group ID as one of the custom security groups to assign to Fargate pods.

Source: https://github.com/aws/containers-roadmap/issues/625#issuecomment-852478276

Chen A.
  • 10,140
  • 3
  • 42
  • 61