Kubernetes和AWS:将LoadBalancer设置为使用预定义的安全组 [英] Kubernetes and AWS: Set LoadBalancer to use predefined Security Group

问题描述

正如标题所述，我正在寻找一种方法来强制LoadBalancer服务在AWS中使用预定义的安全组.我不想手动编辑Kubernetes为ELB创建的安全组的入站/出站规则.我无法在文档中找到任何内容，也找不到在网上其他地方可以使用的任何内容.这是我当前的模板:

As the title says, I am looking for a way to force a LoadBalancer service to use a predefined security group in AWS. I do not want to have to manually edit the inbound/outbound rules of the security group that is created for the ELB by Kubernetes. I have not been able to find anything within the documentation, nor have I located anything that works elsewhere online. Here is my current template:

apiVersion: v1
kind: Service
metadata:
  name: ds-proxy
spec:
  type: LoadBalancer
  ports:
  - port: 8761 # the port that this service should serve on
    targetPort: 8761
    protocol: TCP
  selector:
    app: discovery-service

推荐答案

您不能阻止Kubernetes创建新的安全组.但是自从提交Andonaeus的答案以来，已添加了一项新功能，该功能允许您通过服务的配置文件显式定义入站权限.

You cannot prevent Kubernetes from creating a new security group. But since Andonaeus' answer was submitted a new feature has been added which allows for explicitly defining inbound permissions via your service's configuration file.

请参见

See the user guide details for the specifics. The example provided there shows that by using spec.loadBalancerSourceRanges you can provide allow inbound IPs:

在以下示例中，将创建一个负载平衡器，该负载平衡器仅可供IP地址为130.211.204.1和130.211.204.2.的客户端访问.

In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
    - port: 8765
      targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32

这篇关于Kubernetes和AWS:将LoadBalancer设置为使用预定义的安全组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！