AWS eks documentation change
Summary
Removed security group rule limit warnings and CIDR cleanup responsibility notes
Security assessment
Removal of warnings about security group limits and CIDR management reduces visibility of potential misconfigurations but does not directly address a specific security issue.
Diff
diff --git a/eks/latest/userguide/hybrid-nodes-networking.md b/eks/latest/userguide/hybrid-nodes-networking.md index 44dbe22ac..a738e726c 100644 --- a//eks/latest/userguide/hybrid-nodes-networking.md +++ b//eks/latest/userguide/hybrid-nodes-networking.md @@ -252 +252 @@ Run the following command for each of the subnets you created in the previous st -The following access for your EKS cluster security group is required for ongoing cluster operations. Amazon EKS automatically creates the required **ingress** security group rules for hybrid nodes when you create or update your cluster with remote node and pod networks configured. +The following access for your EKS cluster security group is required for ongoing cluster operations. @@ -261,11 +261 @@ HTTPS | TCP | Outbound | Webhook ports | N/A | Remote Pod CIDR(s) | Kubern -###### Important - -**Security group rule limits** : Amazon EC2 security groups have a maximum of 60 ingress rules by default. The security group ingress rules may not apply if your cluster security group approaches this limit. In this case, it may be required to manually add in the missing ingress rules. - -**CIDR cleanup responsibility** : If you remove remote node or pod networks from EKS clusters, EKS does not automatically remove the corresponding security group rules. You are responsible for manually removing unused remote node or pod networks from your security group rules. - -For more information about the cluster security group that Amazon EKS creates, see [View Amazon EKS security group requirements for clusters](./sec-group-reqs.html). - -### (Optional) Manual security group configuration - -If you need to create additional security groups or modify the automatically created rules, you can use the following commands as reference. By default, the command below creates a security group that allows all outbound access. You can restrict outbound access to include only the rules above. If you’re considering limiting the outbound rules, we recommend that you thoroughly test all of your applications and pod connectivity before you apply your changed rules to a production cluster. +To create a security group with the inbound access rules, run the following commands. This security group must be passed when you create your Amazon EKS cluster. By default, the command below creates a security group that allows all outbound access. You can restrict outbound access to include only the rules above. If you’re considering limiting the outbound rules, we recommend that you thoroughly test all of your applications and pod connectivity before you apply your changed rules to a production cluster.