I've got EKS cluster with managed node group. I'm deploying ingress controller using helm chart ingress-nginx version 4.7.1 from repository https://kubernetes.github.io/ingress-nginx. It creates public nlb. Trying to secure it I came across this info as of 10.08.2023 nlb supports security groups. Digging more I found some information with possible solutions and annotations to use in this github topic. So deployed config as per values.yaml file:
controller:
ingressClassByName: true
ingressClassResource:
name: nginx-public
enabled: true
default: false
controllerValue: "k8s.io/ingress-nginx-public"
ingressClass: nginx-public
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-security-groups: aws_security_group.public_alb.id
#service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: aws_security_group.public_alb.id
external:
enabled: true
I've tried both options security-group and extra-security-group. Non worked for me. Everything looks fine, helm chart deployed. I can see above annotations added to created service. However when checking LB in aws console. No SG attached. Tested access via lb url... Wide open (sg created with access rule only for specific IP). Does anyone actually made it work? Any ideas what I could miss?
I prefer to use security groups rather than loadBalancerSourceRanges as it gives more control over who can access and what.
