Closed prakashbalaji closed 1 month ago
@prakashbalaji hey, was the load balancer created successfully? were you trying to create a NLB or ALB?
@oliviassss - This is the case of we creating load balancer externally outside of the controller. We used terraform to provision the load balancer and we are using ALB here. The issue is that the pods are getting registered as targets to the load balancer but the EKS node security group rules are not amended to allow traffic from the load balancer.
When the controller creates the load balancer it augments the security group rules.
@prakashbalaji, sorry I missed that. I doubt if it's an external LB, the controller will manage the AWS resources for it (since we rely on users to manage TG, listener, LB for external LB). Personally I haven't tested this before, I can try to repro, but check out the live doc here: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/use_cases/self_managed_lb/
Thanks @oliviassss for the response, I can for sure tell you that the security group rules are not amended for the self managed lb. As I think more, it seems right for the controller not to manage the security group as we create the load balancer and security group outside and we are supposed to allow traffic from load balancer to EKS node, I think this issue can be closed as we are taking that approach and also it would be good to document it in the notes about security groups. The linked article does not talk about security groups and hence the confusion. Thanks for your inputs btw.
Thanks for the confirmation. /kind documentation
@prakashbalaji It's actually possible for a TargetGroupBinding to modify the worker node security groups. check out the spec.networking on TargetGroupBinding. It supports to allow reach target on specific ports from specified cidr or security group(preferred to use the LB's security Group)
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
Describe the bug The pods are getting registered to the targetGroupARN specified correctly but the. security groups in the nodes are not adjusted to allow the traffic from the load balancer. Even specifically passing security group with ingress annotation is not helping.
Is this an bug here? if this is not a bug what is the correct way to adjust the node security group to allow traffic from load balancer for external load balancer.
Steps to reproduce
Expected outcome Should security group of node be adjusted to allow traffic from load balancer for external load balancer?
Environment
AWS Load Balancer controller version : v2.7.2 Kubernetes version v1.29.3-eks-adc7111 Using EKS (yes/no), if so version? yes - v1.29.3-eks-adc7111
Additional Context:
For cases when the load balancer is created by the controller, the node security groups are adjusted correctly to allow traffic from load balancer.