ingress-nginx support for AWS Network Load Balancer attaching sec groups in upcoming version

support the recent change of Network Load Balancer now supports security groups:

https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/#:~:text=Network%20Load%20Balancers%20(NLB)%20now,centrally%20enforce%20access%20control%20policies

Describe the solution you'd like

nlb.ingress.kubernetes.io/security-groups: sg-xxxx, nameOfSg1, nameOfSg2

Aug 24 '23 15:08 emad-ramlawi

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Aug 24 '23 15:08 k8s-ci-robot

this would be amazing, and save me from having to migrate to AWS LB controller!

Sep 23 '23 23:09 ClaytonOlleyNutrien

Same here, as for now it blocks using internal NLB and Global Accelerator in AWS

Sep 25 '23 13:09 kalvkusk

Same here. Would be great to be able to use sg with ingress-nginx.

Sep 26 '23 09:09 kkarczewski

Do we know when this can happen? its now blocking to use nlb with ingress controller

Oct 31 '23 12:10 hussainbani

It will be a really very valuable new feature to be able to use security groups on NLB's with ingress controller. We can prevent port probes with that very easy.

Nov 08 '23 10:11 cr-actico

This feature would be great to have! It would help many use cases.

Nov 09 '23 13:11 IvanStanchev07

Same. We really need to use NLB sg to have a better security control

Nov 16 '23 15:11 gregory-lecomte

There is a workaround that you can have the aws-load-balancer-controller v2.6.1 installed then you can install the ingress-nginx controller with the annotation: service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxx,sg-xxx,sg-xxx" Which will spoon up an NLB with the SGs attached.

Dec 07 '23 15:12 ntpetrov

Up! Waiting for this feature so much.

Jan 09 '24 14:01 rnuzzo

hello everyone here.

can anyone confirm that request is for the ingress-nginx project to add that annotation in the static yaml manifest for AWS

Feb 12 '24 10:02 longwuyuan

Any estimation when this feature will be available ?

Mar 02 '24 13:03 sorind-broadsign

We can discuss this at the community meeting next week.

Mar 02 '24 15:03 tao12345666333

In addition to the annotation shared by @ntpetrov , we also had to add the annotation below for it to work with ingress-nginx

service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true"

Mar 03 '24 19:03 albertoal

Interesting observation

On 4/18/24 02:43, Guido Dobboletta wrote:
>
> Where did you add the annotation @albertoal ? I added it to the ingress-nginx-controller load balancer service but it didn't work. Is that supposed to go in the nginx-ingress or the AWS LBC controller ?
>

@albertoal @emad-ramlawi if there is solid proof of this annotation being a requirement, then maybe we can consider a PR to change hte project's default annotations list. The problem is this confirmation as we are not sure if it is 100% known to be a requirement on EKS

Apr 18 '24 00:04 longwuyuan

I attempted to configure the service with the specified settings, but it seems that NLB is still being launched without a security group using Traefik.

service:
  spec:
    externalTrafficPolicy: Local
  annotations: 
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
    service.beta.kubernetes.io/aws-load-balancer-attributes: deletion_protection.enabled=true
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxx"

Even it doesn’t respect deletion_protection.enabled=true

May 13 '24 05:05 adiii717

Traefik related issues are not really workable in this project.

I think using the new AWS LB Controller is the optimum solution.

May 13 '24 07:05 longwuyuan

Traefik related issues are not really workable in this project.

I think using the new AWS LB Controller is the optimum solution.

hmm, and what about this one https://github.com/kubernetes/ingress-nginx/issues/10340#issuecomment-1845546201

May 13 '24 07:05 adiii717

There is a workaround that you can have the aws-load-balancer-controller v2.6.1 installed then you can install the ingress-nginx controller with the annotation: service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxx,sg-xxx,sg-xxx" Which will spoon up an NLB with the SGs attached.

This workaround incredibly works. After much study, to install the Ingress-Nginx Controller on the EKS and thus create an NLB with Security Groups attached, two steps were necessary:

Install the AWS Load Balancer Controller https://docs.aws.amazon.com/eks/latest/userguide/lbc-manifest.html Each step of this procedure is necessary. Ex.: IAM policy and role, OIDC Provider created by cluster must be created on IAM Identity Provider, Install cert-manager and finally the AWS Load Balancer Controller. Note that this deployment does not create any ALB.
Install the Ingress-Nginx Controller https://kubernetes.github.io/ingress-nginx/deploy/#aws After downloading the deploy.yaml template, you will have to add the annotations to the Service so that an existing Security Group is attached to the NLB: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true" service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxxxxxxxxxxxxxx"

Jun 12 '24 00:06 kelson-pereira

There is a workaround that you can have the aws-load-balancer-controller v2.6.1 installed then you can install the ingress-nginx controller with the annotation: service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxx,sg-xxx,sg-xxx" Which will spoon up an NLB with the SGs attached.

This workaround incredibly works. After much study, to install the Ingress-Nginx Controller on the EKS and thus create an NLB with Security Groups attached, two steps were necessary:

Install the AWS Load Balancer Controller https://docs.aws.amazon.com/eks/latest/userguide/lbc-manifest.html Each step of this procedure is necessary. Ex.: IAM policy and role, OIDC Provider created by cluster must be created on IAM Identity Provider, Install cert-manager and finally the AWS Load Balancer Controller. Note that this deployment does not create any ALB.

Install the Ingress-Nginx Controller https://kubernetes.github.io/ingress-nginx/deploy/#aws After downloading the deploy.yaml template, you will have to add the annotations to the Service so that an existing Security Group is attached to the NLB: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true" service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxxxxxxxxxxxxxx"

@kelson-pereira This is actually the recommended AWS solution, so that ingress-nginx uses aws load balancer controller to provision the LB and not the in-tree controller see here https://aws.amazon.com/blogs/containers/exposing-kubernetes-applications-part-3-nginx-ingress-controller/

Jun 23 '24 06:06 tnimni

ingress-nginx ingress-nginx copied to clipboard

support for AWS Network Load Balancer attaching sec groups in upcoming version

ingress-nginx
ingress-nginx copied to clipboard