Security Group Inbound is automatically set to open 0.0.0.0

[Rishabh-Hupr]

Hi Team

Based on the below line, https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/9b4999b63ca90c53fb3dbe3c823b8ca7fa84ba3d/docs/guide/service/annotations.md?plain=1#L431 it mentions that if the service Object has the annotation of service.beta.kubernetes.io/aws-load-balancer-scheme: internal , then the source ranges for the LB will be from VPC CIDR, it's the same for v2.7 and v2.6. However, it doesn't seem to be working.

I created a service to type LoadBalancer and had the same annotation in there(tried with both v2.7.2 and v2.6.2 LBC version). I spun an internal NLB up, however one of the SG related to NLB, was allowing traffic from 0.0.0.0/0, which is not desirable. As one would think that the doc mentioning 👇🏻, will have it's effect, but certainly not working in this case.

• The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal

service.yaml 👇🏻

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  namespace: kube-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal
  labels:
    app: web
  name: web
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 80
  selector:
    app: web
  type: LoadBalancer

NO ERRORS SPOTTED IN LBC DEPLOYMENT

Can we get a clarification why this is not working as expected? And if so, can we get a fix?

I can provide more details if needed.