How do I restrict CIDR IP addresses for a LoadBalancer type service in Amazon EKS?
Last updated: 2020-01-22
I want to restrict CIDR IP addresses for a LoadBalancer type service in Amazon Elastic Kubernetes Service (Amazon EKS).
If you create a service of type:LoadBalancer, requests from the source 0.0.0.0/0 are allowed by default. That means that requests are routed to worker nodes from anywhere on the internet, if your load balancer is in a public subnet.
Set up your environment
3. Set up kubectl.
Restrict CIDR IP addresses
1. In your service manifest file (svc.yaml), add the .spec.loadBalancerSourceRanges field. See the following example:
apiVersion: v1 kind: Service metadata: labels: app: nginx name: nginx spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer loadBalancerSourceRanges: - "22.214.171.124/16"
2. To apply the manifest file, run the following command:
$ kubectl apply -f svc.yaml
3. To confirm that the inbound rules on the security group are modified, run the following AWS CLI command:
$ aws ec2 describe-security-groups --group-ids sg-XXXXXXXXXXXXXXXXX ... "CidrIp": "126.96.36.199/16" ...
Finally, consider the following:
If you update an existing LoadBalancer service that's using a Network Load Balancer (for Kubernetes versions earlier than 1.14), then you must recreate the service resource. This is because the .spec.loadBalancerSourceRanges field isn't reflected in the worker node security group.
Note: Recreating the service resource reprovisions the Network Load Balancer, and results in new IP addresses for the load balancer.
Avoid reaching the maximum security group limit, because each LoadBalancer type service that uses a Network Load Balancer requires a rule on the worker node's security group.