Ingress-nginx: [FEATURE REQUEST] AWS ELB - Ability to control auto generated Security Group or whitelist ELB level

Created on 17 Apr 2019  路  4Comments  路  Source: kubernetes/ingress-nginx

NGINX Ingress controller version: 0.23.0

Kubernetes version (use kubectl version): 1.10.3

Cloud provider or hardware configuration: AWS EKS

What happened:
I used setup guidelines from https://kubernetes.github.io/ingress-nginx/deploy/. When I provision L7 ELB with ingress-nginx Service it creates an ELB on AWS vpc with auto generated security group. Inbound security rule on the SG allows all incoming traffic onto HTTPS.

What you expected to happen:
I want to control the whitelisting on ELB level via some config or annotations.

How to reproduce it (as minimally and precisely as possible):
Setup guidelines for AWS: https://kubernetes.github.io/ingress-nginx/deploy/#aws

Anything else we need to know:
I am able to setup whitelisting on Ingress but vpc is exposed all outside traffic.

picture dragonknight88

Most helpful comment

this extra SG annotation does not work on auto-generated LB.
adding below on lb solved it for me

loadBalancerSourceRanges: -<cidr> -<cidr> ...

picture dragonknight88 on 16 May 2019
👍2

All 4 comments

@dragonknight88 ingress-nginx doesn't create any cloud resource. This is done by Kubernetes, like any other service type=LoadBalancer.
Please check service.beta.kubernetes.io/aws-load-balancer-extra-security-groups

aledbf picture aledbf on 17 Apr 2019

@aledbf This allows to add an extra security group. However, when two security groups are added, one with restrictions and other unrestricted, its still open to all traffic.

romilpunetha picture romilpunetha on 16 May 2019

this extra SG annotation does not work on auto-generated LB.
adding below on lb solved it for me

loadBalancerSourceRanges: -<cidr> -<cidr> ...

dragonknight88 picture dragonknight88 on 16 May 2019
👍2

I was trying to find anything I could regarding this, as the ingress-nginx documentation wasn't super clear. I was able to figure it out by using the annotations as @aledbf talked about. I was using helm to deploy this.

helm install ingress-nginx ingress-nginx/ingress-nginx -f values.yaml

Example of replacing security groups:

# values.yaml
controller:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-1a2b3c4d"  # comma separated to add multiple

Example of adding extra security groups

# values.yaml
controller:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-1a2b3c4d"  # comma separated to add multiple
isaachui picture isaachui on 6 Jun 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

boazj picture boazj  路  3Comments
geek876 picture geek876  路  3Comments
briananstett picture briananstett  路  3Comments
natemurthy picture natemurthy  路  3Comments
smeruelo picture smeruelo  路  3Comments