Closed michalschott closed 1 year ago
@michalschott if the alb.ingress.kubernetes.io/actions.test
is uncommented but there's a backend service port named use-annotation
in your ingress spec, it is an expected behavior that the target group is not created, since in your service spec there is no port named use-annotation
.
In order to have the source-ip protection added, you need the annotation alb.ingress.kubernetes.io/actions.test
, and the service port name must be use-annotation
. you can check more info in our live doc: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/annotations/#actions
@oliviassss Indeed, but then I need to create target group outside of ALBController. What's the point (or how else can I do that) if my service runs on EKS?
@michalschott why would you comment out the "actions.test"?
There are a couple of options:
alb.ingress.kubernetes.io/actions.test: >
{"type":"forward","targetGroupARN": "arn:aws:elasticloadbalancing:[REDACTED]"}
alb.ingress.kubernetes.io/conditions.test: >
[{"field":"source-ip","sourceIpConfig":{"values":["192.168.0.0/16", "172.16.0.0/16"]}}]
......
- backend:
service:
name: test
port:
name: use-annotation
test
port http
to be auto-created. The caveat is to not use the magic "use-annotation" as port name, the "conditions.xxx" annotation works on real service names
alb.ingress.kubernetes.io/conditions.test: >
[{"field":"source-ip","sourceIpConfig":{"values":["192.168.0.0/16", "172.16.0.0/16"]}}]
......
- backend:
service:
name: test
port:
name: http
@M00nF1sh thanks for suggestion, I ended up by attaching WAF to the LB instead.
@michalschott, I'm closing this issue as for now, please feel free to reach out or reopen if you have any questions. Thanks
Describe the bug
Adding source-ip protection to my ALB endpoint backed by EKS hosted service doesn't work as expected
I've noticed, if
name: use-annotation
targetGroup is not created automatically. ThusThen
field looks like:Once
alb.ingress.kubernetes.io/actions.test
annotations is uncommentedThen
is set correctly.Obviously, once
name
is changed tohttp
- source-ip protection is not added.Steps to reproduce
Described above.
Expected outcome TargetGroup should be created and forward rule should be created.
Environment
Additional Context: