[英]Security group inbound rules wiped out and added 0.0.0.0/0 by eksclusterrole automatically
I have deployed AWS EKS 2 node cluster(Version 1.18).我已经部署了 AWS EKS 2 节点集群(版本 1.18)。 It contains some ELBs, microservices and a UI hosted on Kube.netes.它包含一些 ELB、微服务和托管在 Kube.netes 上的 UI。 ELB's have their own security group. ELB 有自己的安全组。 I modify primary replica's security group's inbound rules manually to enable access to db for specific IP's(ex:117.123.111.99/32) on port 27017. However, I have noticed that after couple of days an inbound rule automatically gets added for port 27017 - 0.0.0.0/0 and custom ICMP-IPv4 0.0.0.0/0 for all 3 mongo replica LoadBalancer security groups.我手动修改主副本的安全组的入站规则,以启用对端口 27017 上特定 IP(例如:117.123.111.99/32)的数据库的访问。但是,我注意到几天后自动为端口 27017 添加入站规则 -所有 3 个 mongo 副本 LoadBalancer 安全组的 0.0.0.0/0 和自定义 ICMP-IPv4 0.0.0.0/0。
when i see the logs in 'CloudTrail' it is saying that eksclusterrole当我在“CloudTrail”中看到日志时,它说 eksclusterrole
"type": "Role",
"principalId": “blablabla”,
"arn": "arn:aws:iam::MyAccountId:role/eksclusterrole",
"accountId": "MyAccountId",
"userName": "eksclusterrole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": “date”
}
},
"invokedBy": "eks.amazonaws.com"
},
"eventTime": "date",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-2”,
"sourceIPAddress": "eks.amazonaws.com",
"userAgent": "eks.amazonaws.com",
"requestParameters": {
"groupId": "sg-mysecurityid,
"ipPermissions": {
"items": [
{
"ipProtocol": "icmp",
"fromPort": 3,
"toPort": 4,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
},
{
"ipProtocol": "tcp",
"fromPort": 27017,
"toPort": 27017,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
}
Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer su.net in the VPC for health checks for each Network Load Balancer that you create Amazon EKS 为客户端流量向节点的安全组添加一条入站规则,为 VPC 中的每个负载均衡器 su.net 添加一条规则,用于对您创建的每个网络负载均衡器进行健康检查
service.beta.kube.netes.io/aws-load-balancer-manage-backend-security-group-rules specifies whether the controller should automatically add the ingress rules to the instance/ENI security group. service.beta.kube.netes.io/aws-load-balancer-manage-backend-security-group-rules 指定 controller 是否应自动将入口规则添加到实例/ENI 安全组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.