When you build the k8s clusters the security group for the nodes only allows traffic in from certain other terraform created SGs and things like SSH. We make heavy use of the NodePort service type which allocates an arbitrary open high port for the service. Our default SGs do not allow that and we have to manually edit the SGs to allow traffic. For private addressed only nodes you should allow traffic to the high port range.
From this perspective, should we should be able to customize our security groups before/after deployment to prevent this from causing a usability issue?
Today I have the ability to change the security group manually, so this is more of a usability ask than anything else.