正如标题所说,我正在寻找一种方法来强制LoadBalancer服务使用AWS中预定义的安全组。我不想手动编辑Kubernetes为ELB创建的安全组的入站/出站规则。我在文档中找不到任何内容,也没有在网上找到任何其他地方可用的内容。这是我当前的模板:
apiVersion: v1
kind: Service
metadata:
name: ds-proxy
spec:
type: LoadBalancer
ports:
- port: 8761 # the port that this service should serve on
targetPort: 8761
protocol: TCP
selector:
app: discovery-service
编辑:2021-我被告知我的答案已经过时,请参阅stackoverflow.com/a/70162565/699493。
您无法阻止Kubernetes创建新的安全组。但自从Andonaeus的答案提交后,添加了一个新功能,允许通过服务的配置文件明确定义入站权限。
有关详细信息,请参阅用户指南详细信息。提供的示例显示,通过使用spec.loadBalancerSourceRanges,您可以提供允许入站IP:
在下面的示例中,将创建一个只有IP地址为130.211.204.1和130.211.204-2的客户端才能访问的负载缓冲区。
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
ports:
- port: 8765
targetPort: 9376
selector:
app: example
type: LoadBalancer
loadBalancerSourceRanges:
- 130.211.204.1/32
- 130.211.204.2/32
您不能限制kubernetes创建新的安全组,但您可以使用文档中提到的注释指定现有的安全组:
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups:"sg-53fae93f,sg-42efd82e"->要添加到ELB 的附加安全组的列表
我意识到这篇文章已经有几年的历史了,但它在谷歌搜索中出现了。现在看来,使用K8S1.7+可以防止kubernetes创建安全组。看见https://github.com/kubernetes/kops/blob/release-1.9/docs/cluster_spec.md#cloudconfig了解更多信息。
目前看来这是不可能的。通过api中的以下代码,https://github.com/kubernetes/kubernetes/blob/37b5726716231c13117c4b05a841e00417b92cda/pkg/cloudprovider/providers/aws/aws.go:
func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, ports []*api.ServicePort, hosts []string, affinity api.ServiceAffinity) (*api.LoadBalancerStatus, error) {
glog.V(2).Infof("EnsureLoadBalancer(%v, %v, %v, %v, %v)", name, region, publicIP, ports, hosts)
.
.
.
// Create a security group for the load balancer
var securityGroupID string
{
sgName := "k8s-elb-" + name
sgDescription := "Security group for Kubernetes ELB " + name
securityGroupID, err = s.ensureSecurityGroup(sgName, sgDescription, vpcId)
if err != nil {
glog.Error("Error creating load balancer security group: ", err)
return nil, err
}
permissions := []*ec2.IpPermission{}
for _, port := range ports {
portInt64 := int64(port.Port)
protocol := strings.ToLower(string(port.Protocol))
sourceIp := "0.0.0.0/0"
permission := &ec2.IpPermission{}
permission.FromPort = &portInt64
permission.ToPort = &portInt64
permission.IpRanges = []*ec2.IpRange{{CidrIp: &sourceIp}}
permission.IpProtocol = &protocol
permissions = append(permissions, permission)
}
_, err = s.ensureSecurityGroupIngress(securityGroupID, permissions)
if err != nil {
return nil, err
}
}
securityGroupIDs := []string{securityGroupID}
.
.
.
}
无法阻止它创建安全组。
这现在是可能的,并且已经有一段时间了。
请参阅https://kubernetes.io/docs/concepts/services-networking/service/
service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-53fae93f"
# A list of existing security groups to be configured on the ELB created. Unlike the annotation
# service.beta.kubernetes.io/aws-load-balancer-extra-security-groups, this replaces all other security groups previously assigned to the ELB and also overrides the creation
# of a uniquely generated security group for this ELB.
# The first security group ID on this list is used as a source to permit incoming traffic to target worker nodes (service traffic and health checks).
# If multiple ELBs are configured with the same security group ID, only a single permit line will be added to the worker node security groups, that means if you delete any
# of those ELBs it will remove the single permit line and block access for all ELBs that shared the same security group ID.
# This can cause a cross-service outage if not used properly
请密切注意,如果您有多个负载平衡器,并且您销毁了其中一个,则允许工作SG与ELB SG对话的入口规则将被撤销。
我想要的是一个";service.beta.kubernetes.io/aws-load-balancer-stop-messsing-with-my-security-groughs:true";注释。
我们也使用service.beta.kubernetes.io/aws-load-babalancer-target-node-labels,作为一个实验,我最终拒绝了ec2:RevokeSecurityGroupIngress,但这可能会导致其他问题。
AWS的官方建议是不要共享LB安全组。