Remove kubernetes.io/cluster/<clusterName> tag from EFA security group (#8556)

NicholasBlaskey · web-flow · commit 9284e4dffe9e · 2025-10-28T11:03:46.000-07:00
diff --git a/pkg/cfn/builder/nodegroup_test.go b/pkg/cfn/builder/nodegroup_test.go
@@ -644,8 +644,6 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 					properties := ngTemplate.Resources["EFASG"].Properties
 					Expect(properties.VpcID).To(ContainElement(vpcID))
 					Expect(properties.GroupDescription).To(Equal("EFA-enabled security group"))
-					Expect(properties.Tags[0].Key).To(Equal("kubernetes.io/cluster/bonsai"))
-					Expect(properties.Tags[0].Value).To(Equal("owned"))
 
 					Expect(ngTemplate.Resources).To(HaveKey("EFAEgressSelf"))
 					properties = ngTemplate.Resources["EFAEgressSelf"].Properties
diff --git a/pkg/cfn/builder/vpc.go b/pkg/cfn/builder/vpc.go
@@ -103,10 +103,12 @@ func (rs *resourceSet) addEFASecurityGroup(vpcID *gfnt.Value, clusterName, desc
 	efaSG := rs.newResource("EFASG", &gfnec2.SecurityGroup{
 		VpcId:            vpcID,
 		GroupDescription: gfnt.NewString("EFA-enabled security group"),
-		Tags: []gfncfn.Tag{{
-			Key:   gfnt.NewString("kubernetes.io/cluster/" + clusterName),
-			Value: gfnt.NewString("owned"),
-		}},
+		// Don't add a kubernetes.io/cluster tag to avoid conflicting with
+		// aws load balancer controller which expects exactly one security group
+		// tagged with kubernetes.io. Resource will already be tagged with
+		// alpha.eksctl.io/cluster-name elsewhere.
+		// https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/networking/networking_manager.go#L558
+		Tags: []gfncfn.Tag{},
 	})
 
 	// Create ingress rule for EFA self-communication
