New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defining a custom loadBalancerSourceRanges in a AWS NLB service is not respected #57212
Comments
/assign @micahhausler |
@aledbf: GitHub didn't allow me to assign the following users: micahhausler. Note that only kubernetes members can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig aws |
ping @micahhausler |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
NLBs don't have security groups, as a general rule of AWS |
/remove-lifecycle stale |
If you wanted to accomplish this with the NLB k8s would have to manipulate the security groups of the nodes themselves. |
That is what the controller does right now, edit the security groups of the nodes |
Do you mean that's how it handles the classic ELB LoadBalancer Service types? Because it changes the rules on the SGs on the ELB for that. Or do you mean something else? (Forgive my ignorance, I'm merely trying to be helpful) |
You are right, NLBs do not have Security Groups. The current NLB controller opens up the nodePort on the nodes' security group to Classic ELBs do have security groups, that is not covered in this issue. |
gotcha, thanks, sorry for the distraction |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
tl;dr - The current controller doesn't seem to reconcile updates to the Initial DeploymentOur initial deployment did not include any restrictions via
Resultant Security Group Ingress Rules
Update - Add Net New
|
/remove-lifecycle stale |
I'm working a fix on this, should be available nearly next week. |
/assign @M00nF1sh |
Hi @M00nF1sh, Thank you for the PR. Do you know when it's expected to be merged and available to test? I'm anxiously awaiting this merge so we can use elasticIP's to offer static addresses to our web clients. Currently we use ELBs along with a pod annotation to assign an additional handcrafted security group containing our whitelist. The update in this ticket will allow us to trust that loadBalancerSourceRanges in our helm values are propagated to the node SG. I'm wondering what happens if 5 NLBs point to the same worker nodes, each using 2 ports and each NLB service contains 15 loadBalancerSourceRanges. This would make 5 x 2 x 15 = 150 rules in a single SG. A single SG can't contain them all and I assume it will fail to add the SG rules beyond the maximum. I'm curious if the failure would be silent or if the failure to add all SG rules would cause the service to fail creation. AWS documentation says I can get the number of rules per SG increased (default 60) , and I can increase or decrease the maximum number of SGs allowed to be attached to a network interface but This limit applies across the entire AWS account so I need to consider other non-k8s deployments in our AWS account that rely on using 5 attached SGs. This tells me I can ask AWS to increase the number of rules-per-SG to 200 without decreasing from 5 SGs per interface we use elsewhere. Thank you, |
@jrnt30 - Your Jan 30 post in this issue should win an award. |
+1 to @tewing-riffyn's question about when @M00nF1sh's PR will be ready for use in EKS. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
Creating a NLB service with a custom
loadBalancerSourceRanges
is not respectedWhat you expected to happen:
The security group should be created with the defined range and not
0.0.0.0/0
The text was updated successfully, but these errors were encountered: