ingress-nginx
ingress-nginx copied to clipboard
kubernetes
support for AWS Network Load Balancer attaching sec groups in upcoming version
support the recent change of Network Load Balancer now supports security groups:
https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/#:~:text=Network%20Load%20Balancers%20(NLB)%20now,centrally%20enforce%20access%20control%20policies
Describe the solution you'd like
nlb.ingress.kubernetes.io/security-groups: sg-xxxx, nameOfSg1, nameOfSg2
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
this would be amazing, and save me from having to migrate to AWS LB controller!
Same here, as for now it blocks using internal NLB and Global Accelerator in AWS
Do we know when this can happen? its now blocking to use nlb with ingress controller
It will be a really very valuable new feature to be able to use security groups on NLB's with ingress controller. We can prevent port probes with that very easy.
Same. We really need to use NLB sg to have a better security control
There is a workaround that you can have the aws-load-balancer-controller v2.6.1 installed then you can install the ingress-nginx controller with the annotation:
service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxx,sg-xxx,sg-xxx"
Which will spoon up an NLB with the SGs attached.
hello everyone here.
- can anyone confirm that request is for the ingress-nginx project to add that annotation in the static yaml manifest for AWS
In addition to the annotation shared by @ntpetrov , we also had to add the annotation below for it to work with ingress-nginx
service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true"
Interesting observation
On 4/18/24 02:43, Guido Dobboletta wrote:
>
> Where did you add the annotation @albertoal ? I added it to the ingress-nginx-controller load balancer service but it didn't work. Is that supposed to go in the nginx-ingress or the AWS LBC controller ?
>
@albertoal @emad-ramlawi if there is solid proof of this annotation being a requirement, then maybe we can consider a PR to change hte project's default annotations list. The problem is this confirmation as we are not sure if it is 100% known to be a requirement on EKS
I attempted to configure the service with the specified settings, but it seems that NLB is still being launched without a security group using Traefik.
service:
spec:
externalTrafficPolicy: Local
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
service.beta.kubernetes.io/aws-load-balancer-attributes: deletion_protection.enabled=true
service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxx"
Even it doesn’t respect deletion_protection.enabled=true
Traefik related issues are not really workable in this project.
I think using the new AWS LB Controller is the optimum solution.
Traefik related issues are not really workable in this project.
I think using the new AWS LB Controller is the optimum solution.
hmm, and what about this one https://github.com/kubernetes/ingress-nginx/issues/10340#issuecomment-1845546201