aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Support for optionally enforcing NLB security groups on PrivateLink traffic

Open omallo opened this issue 1 year ago • 5 comments

Is your feature request related to a problem? I would like to be able to leverage this AWS feature which allows me to configure whether NLB security groups should block PrivateLink traffic or not, so that I can easily limit incoming traffic on an NLB to PrivateLink connections while blocking any other traffic. Achieving this is not easily possible without the mentioned feature, as described here.

Describe the solution you'd like I would like the AWS Load Balancer controller to support a new annotation on a Kubernetes LoadBalancer service which allows me to enable/disable the enforcement of NLB security groups on PrivateLink traffic. Such a boolean valued annotation would map 1:1 to the corresponding AWS functionality.

Describe alternatives you've considered No satisfying alternative solution to the described problem was found.

omallo avatar Sep 13 '23 21:09 omallo

Up

The creation a annotation, for example: service.beta.kubernetes.io/aws-load-balancer-enforce-security-groups-rules: true/false

  • and the use of AWS SDK in: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2#Client.ModifyLoadBalancerAttributes

https://github.com/aws/aws-sdk-go-v2/blob/service/elasticloadbalancingv2/v1.24.2/service/elasticloadbalancingv2/api_op_SetSecurityGroups.go#L51

Maybe can help to create a function to this purpose.

lteixeira-dock avatar Nov 16 '23 16:11 lteixeira-dock

We are facing the same issue. We are using VPCLink to route traffic from apigw to my internal NLB. AWS LB Controller is creating NLB and when I use "service.beta.kubernetes.io/load-balancer-source-ranges" annotation (https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#lb-source-ranges). I'm using internal NLB and whitelisting apigw IPs is not helping here.

I had to set "Enforce inbound rules on PrivateLink traffic" to "off" in NLB Security configuration to allow traffic from apigw.

jawanjalShiva avatar Dec 06 '23 04:12 jawanjalShiva

facing the same issue here

Puneeth-n avatar Dec 11 '23 19:12 Puneeth-n

@oliviassss I'd like to work on this feature

veekaly avatar Dec 18 '23 16:12 veekaly

@veekaly Thank you for showing interest in picking this issue? Do you have any updates on this?

shraddhabang avatar Feb 02 '24 21:02 shraddhabang

Delivered in v2.8.0

shraddhabang avatar May 20 '24 18:05 shraddhabang