Kubernetes 和 AWS:设置 LoadBalancer 以使用预定义的安全组
Kubernetes and AWS: Set LoadBalancer to use predefined Security Group
正如标题所说,我正在寻找一种方法来强制 LoadBalancer 服务使用 AWS 中的预定义安全组。我不想手动编辑 Kubernetes 为 ELB 创建的安全组的 inbound/outbound 规则。我无法在文档中找到任何内容,也没有在网上其他地方找到任何可用的内容。这是我当前的模板:
apiVersion: v1
kind: Service
metadata:
name: ds-proxy
spec:
type: LoadBalancer
ports:
- port: 8761 # the port that this service should serve on
targetPort: 8761
protocol: TCP
selector:
app: discovery-service
目前看来这是不可能的。在api、https://github.com/kubernetes/kubernetes/blob/37b5726716231c13117c4b05a841e00417b92cda/pkg/cloudprovider/providers/aws/aws.go中通过以下代码:
func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, ports []*api.ServicePort, hosts []string, affinity api.ServiceAffinity) (*api.LoadBalancerStatus, error) {
glog.V(2).Infof("EnsureLoadBalancer(%v, %v, %v, %v, %v)", name, region, publicIP, ports, hosts)
.
.
.
// Create a security group for the load balancer
var securityGroupID string
{
sgName := "k8s-elb-" + name
sgDescription := "Security group for Kubernetes ELB " + name
securityGroupID, err = s.ensureSecurityGroup(sgName, sgDescription, vpcId)
if err != nil {
glog.Error("Error creating load balancer security group: ", err)
return nil, err
}
permissions := []*ec2.IpPermission{}
for _, port := range ports {
portInt64 := int64(port.Port)
protocol := strings.ToLower(string(port.Protocol))
sourceIp := "0.0.0.0/0"
permission := &ec2.IpPermission{}
permission.FromPort = &portInt64
permission.ToPort = &portInt64
permission.IpRanges = []*ec2.IpRange{{CidrIp: &sourceIp}}
permission.IpProtocol = &protocol
permissions = append(permissions, permission)
}
_, err = s.ensureSecurityGroupIngress(securityGroupID, permissions)
if err != nil {
return nil, err
}
}
securityGroupIDs := []string{securityGroupID}
.
.
.
}
无法阻止它创建安全组。
编辑:2021 - 我被告知我的答案现在已经过时,请参考 Whosebug。com/a/70162565/699493 相反。
您无法阻止 Kubernetes 创建新的安全组。但是自从提交了 Andonaeus 的回答后,添加了一项新功能,允许通过服务的配置文件明确定义入站权限。
有关详细信息,请参阅 the user guide details。此处提供的示例表明,通过使用 spec.loadBalancerSourceRanges,您可以提供允许入站 IP:
In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
ports:
- port: 8765
targetPort: 9376
selector:
app: example
type: LoadBalancer
loadBalancerSourceRanges:
- 130.211.204.1/32
- 130.211.204.2/32
您不能限制 kubernetes 创建新的安全组,但您可以使用注释指定现有的安全组,如文档中所述:
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-53fae93f,sg-42efd82e"
-> A list of additional security groups to be added to ELB
我知道这个 post 现在已经有几年了,但它是在 google 搜索中找到的。看起来现在可以使用 k8s 1.7+ 来防止 kubernetes 创建安全组。有关详细信息,请参阅 https://github.com/kubernetes/kops/blob/release-1.9/docs/cluster_spec.md#cloudconfig。
现在可以做到,而且已经有一段时间了。
见https://kubernetes.io/docs/concepts/services-networking/service/
service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-53fae93f"
# A list of existing security groups to be configured on the ELB created. Unlike the annotation
# service.beta.kubernetes.io/aws-load-balancer-extra-security-groups, this replaces all other security groups previously assigned to the ELB and also overrides the creation
# of a uniquely generated security group for this ELB.
# The first security group ID on this list is used as a source to permit incoming traffic to target worker nodes (service traffic and health checks).
# If multiple ELBs are configured with the same security group ID, only a single permit line will be added to the worker node security groups, that means if you delete any
# of those ELBs it will remove the single permit line and block access for all ELBs that shared the same security group ID.
# This can cause a cross-service outage if not used properly
请密切注意以下事实:如果您有多个负载均衡器并且您破坏了其中一个,则允许工作 SG 与 ELB SG 通信的入口规则将被撤销。
我想要的是“service.beta.kubernetes.io/aws-load-balancer-stop-messing-with-my-security-groups: true”注释。
我们也使用 service.beta.kubernetes。io/aws-load-balancer-target-node-labels 作为实验,我最终拒绝了 ec2:RevokeSecurityGroupIngress,但这可能会导致其他问题。
AWS 的官方建议是不要共享 LB 安全组。
正如标题所说,我正在寻找一种方法来强制 LoadBalancer 服务使用 AWS 中的预定义安全组。我不想手动编辑 Kubernetes 为 ELB 创建的安全组的 inbound/outbound 规则。我无法在文档中找到任何内容,也没有在网上其他地方找到任何可用的内容。这是我当前的模板:
apiVersion: v1
kind: Service
metadata:
name: ds-proxy
spec:
type: LoadBalancer
ports:
- port: 8761 # the port that this service should serve on
targetPort: 8761
protocol: TCP
selector:
app: discovery-service
目前看来这是不可能的。在api、https://github.com/kubernetes/kubernetes/blob/37b5726716231c13117c4b05a841e00417b92cda/pkg/cloudprovider/providers/aws/aws.go中通过以下代码:
func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, ports []*api.ServicePort, hosts []string, affinity api.ServiceAffinity) (*api.LoadBalancerStatus, error) {
glog.V(2).Infof("EnsureLoadBalancer(%v, %v, %v, %v, %v)", name, region, publicIP, ports, hosts)
.
.
.
// Create a security group for the load balancer
var securityGroupID string
{
sgName := "k8s-elb-" + name
sgDescription := "Security group for Kubernetes ELB " + name
securityGroupID, err = s.ensureSecurityGroup(sgName, sgDescription, vpcId)
if err != nil {
glog.Error("Error creating load balancer security group: ", err)
return nil, err
}
permissions := []*ec2.IpPermission{}
for _, port := range ports {
portInt64 := int64(port.Port)
protocol := strings.ToLower(string(port.Protocol))
sourceIp := "0.0.0.0/0"
permission := &ec2.IpPermission{}
permission.FromPort = &portInt64
permission.ToPort = &portInt64
permission.IpRanges = []*ec2.IpRange{{CidrIp: &sourceIp}}
permission.IpProtocol = &protocol
permissions = append(permissions, permission)
}
_, err = s.ensureSecurityGroupIngress(securityGroupID, permissions)
if err != nil {
return nil, err
}
}
securityGroupIDs := []string{securityGroupID}
.
.
.
}
无法阻止它创建安全组。
编辑:2021 - 我被告知我的答案现在已经过时,请参考 Whosebug。com/a/70162565/699493 相反。
您无法阻止 Kubernetes 创建新的安全组。但是自从提交了 Andonaeus 的回答后,添加了一项新功能,允许通过服务的配置文件明确定义入站权限。
有关详细信息,请参阅 the user guide details。此处提供的示例表明,通过使用 spec.loadBalancerSourceRanges,您可以提供允许入站 IP:
In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
ports:
- port: 8765
targetPort: 9376
selector:
app: example
type: LoadBalancer
loadBalancerSourceRanges:
- 130.211.204.1/32
- 130.211.204.2/32
您不能限制 kubernetes 创建新的安全组,但您可以使用注释指定现有的安全组,如文档中所述:
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-53fae93f,sg-42efd82e" -> A list of additional security groups to be added to ELB
我知道这个 post 现在已经有几年了,但它是在 google 搜索中找到的。看起来现在可以使用 k8s 1.7+ 来防止 kubernetes 创建安全组。有关详细信息,请参阅 https://github.com/kubernetes/kops/blob/release-1.9/docs/cluster_spec.md#cloudconfig。
现在可以做到,而且已经有一段时间了。
见https://kubernetes.io/docs/concepts/services-networking/service/
service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-53fae93f"
# A list of existing security groups to be configured on the ELB created. Unlike the annotation
# service.beta.kubernetes.io/aws-load-balancer-extra-security-groups, this replaces all other security groups previously assigned to the ELB and also overrides the creation
# of a uniquely generated security group for this ELB.
# The first security group ID on this list is used as a source to permit incoming traffic to target worker nodes (service traffic and health checks).
# If multiple ELBs are configured with the same security group ID, only a single permit line will be added to the worker node security groups, that means if you delete any
# of those ELBs it will remove the single permit line and block access for all ELBs that shared the same security group ID.
# This can cause a cross-service outage if not used properly
请密切注意以下事实:如果您有多个负载均衡器并且您破坏了其中一个,则允许工作 SG 与 ELB SG 通信的入口规则将被撤销。
我想要的是“service.beta.kubernetes.io/aws-load-balancer-stop-messing-with-my-security-groups: true”注释。
我们也使用 service.beta.kubernetes。io/aws-load-balancer-target-node-labels 作为实验,我最终拒绝了 ec2:RevokeSecurityGroupIngress,但这可能会导致其他问题。
AWS 的官方建议是不要共享 LB 安全组。