EC2NodeClass Creation with Non-Existent Security Groups #9035
Description
Description
Observed Behavior: The EC2NodeClass supports including security groups that don't exist. Karpenter creates the EC2NodeClass even when a security group doesn't exist, without validation
Expected Behavior: When creating an EC2NodeClass, Karpenter should validate that all specified security groups actually exist before proceeding with the creation. Ideally it should just use security group IDs and not allow anything else.
Reproduction Steps (Please include YAML):
EC2NodeClass is created successfully even with non-existent security groups.
apiVersion: karpenter.k8s.aws/v1
kind: EC2NodeClass
metadata:
name: worker
spec:
amiFamily: Bottlerocket
amiSelectorTerms:
- id: ami-xxxxxx
- id: ami-xxxxxx
associatePublicIPAddress: false
blockDeviceMappings:
- deviceName: /dev/xvda
ebs:
encrypted: true
kmsKeyID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
volumeSize: 4Gi
volumeType: gp3
detailedMonitoring: true
kubelet:
clusterDNS:
- xx.xxx.x.xx
maxPods: 110
metadataOptions:
httpEndpoint: enabled
httpProtocolIPv6: disabled
httpPutResponseHopLimit: 2
httpTokens: required
role: karpenter-node
securityGroupSelectorTerms:
- id: sg-xxxxxxxxxxxxxx
- id: TBD-testing # This SG doesn't exist
- id: sg-xxxxxxxxxxxxxxxxx
subnetSelectorTerms:
- id: subnet-xxxxxxxxxxxxxxxxx
- id: subnet-xxxxxxxxxxxxxxxxx
- id: subnet-xxxxxxxxxxxxxxxxx
tags:
ENVIRONMENT: prod
POD: infra
SERVICE: eks
userData: |
[settings]
[settings.host-containers.control]
[settings.kernel.sysctl]
'net.core.netdev_max_backlog' = '30000'
Versions:
- Chart Version: 1.6.2
- Kubernetes Version (
kubectl version): 1.33
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment