aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Security Group Inbound is automatically set to open 0.0.0.0

Open Rishabh-Hupr opened this issue 1 year ago • 3 comments

Hi Team

Based on the below line, https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/9b4999b63ca90c53fb3dbe3c823b8ca7fa84ba3d/docs/guide/service/annotations.md?plain=1#L431 it mentions that if the service Object has the annotation of service.beta.kubernetes.io/aws-load-balancer-scheme: internal , then the source ranges for the LB will be from VPC CIDR, it's the same for v2.7 and v2.6. However, it doesn't seem to be working.

I created a service to type LoadBalancer and had the same annotation in there(tried with both v2.7.2 and v2.6.2 LBC version). I spun an internal NLB up, however one of the SG related to NLB, was allowing traffic from 0.0.0.0/0, which is not desirable. As one would think that the doc mentioning 👇🏻, will have it's effect, but certainly not working in this case.

  • The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal

service.yaml 👇🏻

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  namespace: kube-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal
  labels:
    app: web
  name: web
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 80
  selector:
    app: web
  type: LoadBalancer

NO ERRORS SPOTTED IN LBC DEPLOYMENT

Can we get a clarification why this is not working as expected? And if so, can we get a fix?

I can provide more details if needed.

Rishabh-Hupr avatar May 17 '24 16:05 Rishabh-Hupr

I can confirm the same behaviour.

uditsidana avatar May 17 '24 16:05 uditsidana

@Rishabh-Hupr, @uditsidana, can you check if the annotation service.beta.kubernetes.io/load-balancer-source-ranges or spec.loadBalancerSourceRanges works in your case to restrict the range? check our live doc for more details: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#access-control

oliviassss avatar May 17 '24 18:05 oliviassss

@oliviassss No issues applying the ranges using the annotation or spec.loadBalancerSourceRanges. Works perfectly, we just wanted to highlighted a particular behaviour as mentioned in the docs.

uditsidana avatar May 20 '24 12:05 uditsidana

thanks, looks like a flaw in doc, I will double check and fix /kind documentation

oliviassss avatar May 22 '24 19:05 oliviassss

Looks like this was not fixed but also the docs are not fixed. This is very miss leading

ezraroi avatar Jul 17 '24 07:07 ezraroi

I think it's a miss in buildCIDRsFromSourceRanges(), that there's no check for lb schema, default is open to all https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/service/model_build_managed_sg.go#L118

oliviassss avatar Jul 17 '24 19:07 oliviassss

/assign

henriquesantanati avatar Dec 30 '24 12:12 henriquesantanati