Closed jralph closed 1 year ago
@jralph, controller doesn't manage the ingress SG rules by default if you manually specify the SGs via alb.ingress.kubernetes.io/security-groups
annotation. If you want the controller to manage backend rules with the security-groups annotation, then you'd need to specify the annotation alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
, for further details, please refer to the live docs https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/#manage-backend-security-group-rules
Similar issue, @kishorj's solution worked š³ š
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
@jralph, I'm closing this issue as for now, please feel free to reach out or reopen if you have any questions. Thanks.
Describe the bug When the annotation
alb.ingress.kubernetes.io/security-groups
is used to attach your own security group to the alb, the shared backend security group is not added, causing all traffic to be blocked by the node/pod security group.Steps to reproduce Deploy an ingress with a custom security group using the
alb.ingress.kubernetes.io/security-groups
annotation, along with nodes that are private.We're running an eks cluster with vpc cni networking, and the
alb.ingress.kubernetes.io/target-type
annotation set toip
.Expected outcome The shared backend security group should always be added, even when the
alb.ingress.kubernetes.io/security-groups
annotation is used.Optionally, there could be another annotation to disable this, although I'd guess that use case would be pretty rare. Why would you want an alb that is unable to talk to the backend pods/nodes?
Environment
Additional Context: When trying to add a custom security group to only allow connections to our alb from the CoudFront prefix list, we encountered this issue.