How do I restrict CIDR IP addresses for a LoadBalancer type service in Amazon EKS?
Last updated: 2020-06-10
I want to restrict CIDR IP addresses for a LoadBalancer type service in Amazon Elastic Kubernetes Service (Amazon EKS).
If you create a service of type:LoadBalancer, requests from the source 0.0.0.0/0 are allowed by default. If your load balancer is in a public subnet, then requests are routed to worker nodes from anywhere on the internet.
Set up your environment
3. Set up kubectl.
Restrict CIDR IP addresses
1. In your service manifest file (svc.yaml), add the .spec.loadBalancerSourceRanges field. See the following example:
apiVersion: v1 kind: Service metadata: labels: app: nginx name: nginx spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer loadBalancerSourceRanges: - "22.214.171.124/16"
2. To apply the manifest file, run the following command:
$ kubectl apply -f svc.yaml
3. To confirm that the inbound rules on the security group are modified, run the following AWS CLI command:
$ aws ec2 describe-security-groups --group-ids sg-XXXXXXXXXXXXXXXXX ... "CidrIp": "126.96.36.199/16" ...
Finally, consider the following:
For Kubernetes version 1.14 or earlier, you can only update the .spec.loadBalancerSourceRanges field of a service that's using a Network Load Balancer by recreating the service resource for the CIDR ranges. These changes are reflected in the security group rules of the worker node.
Note: Recreating the service resource re-provisions the Network Load Balancer, which creates a new IP address for the load balancer.
For a service with a Network Load Balancer type, consider the maximum security group limit. For each node port and CIDR range, the Kubernetes Control Plane creates three rules (for traffic, health, and MTU) on the worker node's security group.