堆栈内存溢出
  简体   繁体   English

eksclusterrole 自动清除并添加安全组入站规则 0.0.0.0/0

[英]Security group inbound rules wiped out and added 0.0.0.0/0 by eksclusterrole automatically

 原文  2021-07-05 13:11:02       mongodb/ kubernetes/ amazon-eks/ aws-security-group/ replicaset

问题描述

I have deployed AWS EKS 2 node cluster(Version 1.18).我已经部署了 AWS EKS 2 节点集群(版本 1.18)。 It contains some ELBs, microservices and a UI hosted on Kube.netes.它包含一些 ELB、微服务和托管在 Kube.netes 上的 UI。 ELB's have their own security group. ELB 有自己的安全组。 I modify primary replica's security group's inbound rules manually to enable access to db for specific IP's(ex:117.123.111.99/32) on port 27017. However, I have noticed that after couple of days an inbound rule automatically gets added for port 27017 - 0.0.0.0/0 and custom ICMP-IPv4 0.0.0.0/0 for all 3 mongo replica LoadBalancer security groups.我手动修改主副本的安全组的入站规则,以启用对端口 27017 上特定 IP(例如:117.123.111.99/32)的数据库的访问。但是,我注意到几天后自动为端口 27017 添加入站规则 -所有 3 个 mongo 副本 LoadBalancer 安全组的 0.0.0.0/0 和自定义 ICMP-IPv4 0.0.0.0/0。

when i see the logs in 'CloudTrail' it is saying that eksclusterrole当我在“CloudTrail”中看到日志时,它说 eksclusterrole

                "type": "Role",
                "principalId": “blablabla”,
                "arn": "arn:aws:iam::MyAccountId:role/eksclusterrole",
                "accountId": "MyAccountId",
                "userName": "eksclusterrole"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": “date”
            }
        },
        "invokedBy": "eks.amazonaws.com"
    },
    "eventTime": "date",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-2”,
    "sourceIPAddress": "eks.amazonaws.com",
    "userAgent": "eks.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-mysecurityid,
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "icmp",
                    "fromPort": 3,
                    "toPort": 4,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "0.0.0.0/0"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                },
                {
                    "ipProtocol": "tcp",
                    "fromPort": 27017,
                    "toPort": 27017,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "0.0.0.0/0"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    }

1 个解决方案

解决方案1
 0  2022-05-05 19:35:07

From de Docs来自 de Docs

Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer su.net in the VPC for health checks for each Network Load Balancer that you create Amazon EKS 为客户端流量向节点的安全组添加一条入站规则,为 VPC 中的每个负载均衡器 su.net 添加一条规则,用于对您创建的每个网络负载均衡器进行健康检查

Can be disable Docs可以禁用文档

service.beta.kube.netes.io/aws-load-balancer-manage-backend-security-group-rules specifies whether the controller should automatically add the ingress rules to the instance/ENI security group. service.beta.kube.netes.io/aws-load-balancer-manage-backend-security-group-rules 指定 controller 是否应自动将入口规则添加到实例/ENI 安全组。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS 安全组:入站和出站规则需要什么? - AWS Security Group: What is needed in inbound and outbound rules? 安全组出站规则 - Outbound rules in a security group 使用 Cloudwach 过滤器模式查找安全组有 cidrIp = "0.0.0.0/0" - Using Cloudwach filter patterns to find security group have cidrIp = "0.0.0.0/0" 如何将 beantalk 应用程序作为入站规则添加到安全组 - How to add a beanstalk app to a security group as a inbound rule 使用 Terraform (AWS) 将安全组添加到另一个安全组的入站规则作为源 - Add a Security Group to the Inbound Rule of another Security Group as a Source with Terraform (AWS) 在 AWS 安全组中创建多个规则 - Create multiple rules in AWS security Group 源端口和目标端口不同,因此我需要在入站 aws 安全组中提及哪个端口号 - Source and destination ports are different, so which port number i need to mention in inbound aws security group 直接在 Firebase 控制台中添加的特定用户的 Firestore 安全规则 - Firestore Security Rules for specific user that was added in the Firebase console directly 添加规则到自动创建的安全组 - Adding rule to the security group which is created automatically 我需要做什么才能让我的安全组接收来自 lambda 中 SQS 的入站流量? - What do I need to allow for my Security group to receive inbound traffic from SQS in lambda?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM