Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Group Inbound is automatically set to open 0.0.0.0 #3706

Open
Rishabh-Hupr opened this issue May 17, 2024 · 4 comments
Open

Security Group Inbound is automatically set to open 0.0.0.0 #3706

Rishabh-Hupr opened this issue May 17, 2024 · 4 comments
Labels
kind/documentation Categorizes issue or PR as related to documentation.

Comments

@Rishabh-Hupr
Copy link

Hi Team

Based on the below line,

aws-load-balancer-controller/docs/guide/service/annotations.md

Line 431 in 9b4999b

- The VPC CIDR will be used if `service.beta.kubernetes.io/aws-load-balancer-scheme` is `internal`

it mentions that if the service Object has the annotation of service.beta.kubernetes.io/aws-load-balancer-scheme: internal , then the source ranges for the LB will be from VPC CIDR, it's the same for v2.7 and v2.6.
However, it doesn't seem to be working.

I created a service to type LoadBalancer and had the same annotation in there(tried with both v2.7.2 and v2.6.2 LBC version).
I spun an internal NLB up, however one of the SG related to NLB, was allowing traffic from 0.0.0.0/0, which is not desirable. As one would think that the doc mentioning 👇🏻, will have it's effect, but certainly not working in this case.

  • The VPC CIDR will be used if service.beta.kubernetes.io/aws-load-balancer-scheme is internal

service.yaml 👇🏻

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  namespace: kube-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal
  labels:
    app: web
  name: web
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 80
  selector:
    app: web
  type: LoadBalancer

NO ERRORS SPOTTED IN LBC DEPLOYMENT

Can we get a clarification why this is not working as expected? And if so, can we get a fix?

I can provide more details if needed.
@uditsidana
Copy link

I can confirm the same behaviour.

@oliviassss
Copy link
Collaborator

@Rishabh-Hupr, @uditsidana, can you check if the annotation service.beta.kubernetes.io/load-balancer-source-ranges or spec.loadBalancerSourceRanges works in your case to restrict the range?
check our live doc for more details: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#access-control

@uditsidana
Copy link

@oliviassss No issues applying the ranges using the annotation or spec.loadBalancerSourceRanges. Works perfectly, we just wanted to highlighted a particular behaviour as mentioned in the docs.

@oliviassss
Copy link
Collaborator

thanks, looks like a flaw in doc, I will double check and fix
/kind documentation

@k8s-ci-robot k8s-ci-robot added the kind/documentation Categorizes issue or PR as related to documentation. label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/documentation Categorizes issue or PR as related to documentation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@k8s-ci-robot @uditsidana @Rishabh-Hupr @oliviassss