[英]How to customize the Security Group Ingress Rules created by a Kubernetes LoadBalancer type service that uses AWS NLB for TCP services
I have a TCP service that runs on via a Kubernetes Deployment on an AWS EKS cluster and is exposed to the internet by a Service of type LoadBalancer using the following definition 我有一个TCP服务,该服务通过AWS EKS集群上的Kubernetes部署运行,并通过使用以下定义的LoadBalancer类型的服务暴露给Internet
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
name: tcpservice
spec:
selector:
app: tcpapp
type: LoadBalancer
ports:
- port: 4453
targetPort: 4453
name: tcpport
Because the load balancer type is NLB, the ingress traffic has to be explicitly allowed on the security group that is applied to the nodes themselves. 由于负载均衡器类型为NLB,因此必须在应用于节点本身的安全组上显式允许入口流量。 The security group was created like this: 安全组是这样创建的:
✔ ~$ aws ec2 describe-security-groups --group-ids sg-2645567125762c6e2 | jq '.SecurityGroups[0].IpPermissions[0]'
{
"FromPort": 32163,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "10.20.0.0/20",
"Description": "kubernetes.io/rule/nlb/health=afd5427b6058811ea989512627425a2e"
},
{
"CidrIp": "0.0.0.0/0",
"Description": "kubernetes.io/rule/nlb/client=afd5427b6058811ea989512627425a2e"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 32163,
"UserIdGroupPairs": []
}
So now I need to change the CidrIp in the "0.0.0.0/0" to a different block. 因此,现在我需要将“ 0.0.0.0/0”中的CidrIp更改为其他块。 How can I do this using kubernetes manifests? 如何使用kubernetes清单执行此操作? I've looked at the NetworkPolicy and Calico documentation, but this controls traffic to pods not services. 我看过NetworkPolicy和Calico文档,但这可以控制到Pod而不是服务的流量。 I can change it with the AWS API or manually, but those changes are lost when the service is redeployed. 我可以使用AWS API或手动进行更改,但是在重新部署服务时这些更改会丢失。
you need to add in your service manifest the loadBalancerSourceRanges parameter. 您需要在服务清单中添加loadBalancerSourceRanges参数。
from documentation: 来自文档:
In order to limit which client IP's can access the Network Load Balancer, specify loadBalancerSourceRanges. 为了限制哪些客户端IP可以访问网络负载平衡器,请指定loadBalancerSourceRanges。
spec:
loadBalancerSourceRanges:
- "143.231.0.0/16"
https://v1-13.docs.kubernetes.io/docs/concepts/services-networking/service/ https://v1-13.docs.kubernetes.io/docs/concepts/services-networking/service/
how code is implemented can be found here: 代码的实现方式可以在这里找到:
https://github.com/kubernetes/kubernetes/blob/9d6ebf6c78f406d8639aae189901e47562418071/pkg/api/service/util.go https://github.com/kubernetes/kubernetes/blob/9d6ebf6c78f406d8639aae189901e47562418071/pkg/api/service/util.go
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.