Procedure using the SG from the nodes for the EFS configuration.

[faldanarh]

On the documentation Enabling the AWS EFS CSI Driver Operator on ROSA, it uses the SG from the worker nodes to set up the Inbound rule for the EFS Mount Target:

SG=$(aws ec2 describe-instances --filters \
  "Name=private-dns-name,Values=$NODE" \
  --query 'Reservations[*].Instances[*].{SecurityGroups:SecurityGroups}' \
  --region $AWS_REGION \
  | jq -r '.[0][0].SecurityGroups[0].GroupId')

The correct would be to use the default SG created on the VPC which has no other rules, and is ready to be used. By default, when creating the EFS Filesystem, it selects the default SG from the VPC, we only need to change it later to add the NFS rule.

Here, at "Via the AWS CLI", step 3, I changed the way and here I mention to have the EFSID in hands for later to retrieve the MOUNTTARGET and SG:

EFSID=<please replace with the EFS filesystem ID>
NODE=$(oc get nodes --selector=node-role.kubernetes.io/worker \
  -o jsonpath='{.items[0].metadata.name}')
VPC=$(aws ec2 describe-instances \
  --filters "Name=private-dns-name,Values=$NODE" \
  --query 'Reservations[*].Instances[*].{VpcId:VpcId}' \
  | jq -r '.[0][0].VpcId')
CIDR=$(aws ec2 describe-vpcs \
  --filters "Name=vpc-id,Values=$VPC" \
  --query 'Vpcs[*].CidrBlock' \
  | jq -r '.[0]')
MOUNTTARGET=$(aws efs describe-mount-targets --file-system-id $EFSID \
  | jq -r '.MountTargets[0].MountTargetId')
SG=$(aws efs describe-mount-target-security-groups --mount-target-id $MOUNTTARGET \
  | jq -r '.SecurityGroups[0]')

The official documentation does not mention about the SG when creating the EFS filesystem, just to copy the SG ID to be used later.

[michaelryanmcneill]

I agree that we should not use the worker security group and should instead use a different security group. I don't know that I agree that you should use the default SG though, I'd like to create a purpose-built SG for this to ensure only the permissions that are necessary are applied. A PR for this would be welcome.