Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kubernetes and AWS: Set LoadBalancer to use predefined Security Group

Tags:

amazon-web-services

kubernetes

aws-elb

As the title says, I am looking for a way to force a LoadBalancer service to use a predefined security group in AWS. I do not want to have to manually edit the inbound/outbound rules of the security group that is created for the ELB by Kubernetes. I have not been able to find anything within the documentation, nor have I located anything that works elsewhere online. Here is my current template:

apiVersion: v1
kind: Service
metadata:
  name: ds-proxy
spec:
  type: LoadBalancer
  ports:
  - port: 8761 # the port that this service should serve on
    targetPort: 8761
    protocol: TCP
  selector:
    app: discovery-service
like image 682
Andonaeus Avatar asked Jan 12 '16 16:01

Andonaeus

People also ask

Does AWS load balancer have a security group?

[Default VPC] If you use the AWS CLI or API to create a load balancer in your default VPC, you can't choose an existing security group for your load balancer. Instead, Elastic Load Balancing provides a security group with rules to allow all traffic on the ports specified for the load balancer.

Can we attach security group to load balancer?

On the navigation pane, under LOAD BALANCING, choose Load Balancers. Select the load balancer. On the Description tab, under Security, choose Edit security groups. To associate a security group with your load balancer, select it.

Does Kubernetes use load balancer?

In other words, Kubernetes services are themselves the crudest form of load balancing traffic. In Kubernetes the most basic type of load balancing is load distribution. Kubernetes uses two methods of load distribution. Both of them are easy to implement at the dispatch level and operate through the kube-proxy feature.

How does the AWS load balancer routes traffic to the correct pod?

Client traffic first hits the kube-proxy on a cluster-assigned nodePort and is passed on to all the matching pods in the cluster. When the spec. externalTrafficPolicy is set to the default value of Cluster , the incoming LoadBalancer traffic may be sent by the kube-proxy to pods on the node, or to pods on other nodes.

2 Answers

EDIT: 2021 - I am told my answer is now out of date, refer to stackoverflow.com/a/70162565/699493 instead.

You cannot prevent Kubernetes from creating a new security group. But since Andonaeus' answer was submitted a new feature has been added which allows for explicitly defining inbound permissions via your service's configuration file.

See the user guide details for the specifics. The example provided there shows that by using spec.loadBalancerSourceRanges you can provide allow inbound IPs:

In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
    - port: 8765
      targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32
like image 73
Keyan P Avatar answered Oct 21 '22 03:10

Keyan P

You can not restrict kubernetes from creating new security group, but you can specify existing security groups using annotations as mentioned in the documentation:

service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-53fae93f,sg-42efd82e" -> A list of additional security groups to be added to ELB

like image 29
Jayaprakash Avatar answered Oct 21 '22 04:10

Jayaprakash
Sign in to Comment

Related questions

Is it possible to specify a pattern for an AWS role Trust Relationship
Amazon S3 static website - Redirect HTTPS to HTTP
AWS Lambda: Unable to import module
aws Lambda created ENI not deleting while deletion of stack
Java 11 on AWS beanstalk for Spring boot project
AWS Elastic Beanstalk Container Commands Failing
Rails based EC2 AMI
Append to a log file in S3 (or any other AWS service)
What is the difference between the internal and External load balancer in AWS?
CloudFront policy to invalidate only specific distrubution
ECS task not starting - STOPPED (CannotPullContainerError: “Error response from daemon request canceled while waiting for connection”
AWS Elasticache Timeout from EC2
AWS: Custom SSL certificate option is disabled in CloudFront, but I created a SSL certificate using AWS Certificate Manager
What's the difference between AWS SAM (Serverless Application Model) and serverless framework?
Scheduling A Job on AWS EC2
AWS EC2: The number of cpu cores available on an instance
Why DynamoDB scan with Limit and FilterExpression not return the items that match the filter requirements?
Recommended way to generate a presigned url to S3 Bucket in Ruby
How do I configure the name of my WSGI application on AWS Elastic Beanstalk?
Having trouble creating a basic AWS AMI with Packer.io. SSH Timeout

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!