为什么尝试对alb.ingress.kubernetes.io/security-groups批注中提供的安全组进行删除 [英] Why delete is attempted on the security group provided in alb.ingress.kubernetes.io/security-groups annotation
问题描述
我有一个EKS集群,正在使用aws-load-balancer-controller:v2.1.1.我正在使用以下aws alb ingress
I have an EKS cluster and I am using aws-load-balancer-controller:v2.1.1. I am using the below aws alb ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-alb-ingress
namespace: myns
labels:
app: myns-alb-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/tags: Team=myteam
alb.ingress.kubernetes.io/group.name: my-apps
alb.ingress.kubernetes.io/certificate-arn: arn:xxx
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
此外,还有一个安全组"sg-xxxxc91467c97bbb".的描述为"[[k8s] LoadBalancer的受管安全组"".
Also there is a security group "sg-xxxxc91467c97bbb" with the description "[k8s] Managed SecurityGroup for LoadBalancer".
我在此安全组中添加了一堆IP地址作为入站规则.现在,每当我添加任何主机规则(路径/后端服务)并应用此入口时,此安全组的所有入站规则都会被删除,而0.0.0.0/0会自动添加.
I have a bunch of IP addresses added in this Security Group as inbound rules. Now whenever I add any host rules (path/ backend service ) and apply this ingress, all the inbound rules of this security group gets deleted and 0.0.0.0/0 gets added automatically.
如何防止这种情况发生,以便保留入站规则?
我尝试添加
alb.ingress.kubernetes.io/security-groups: sg-xxxxc91467c97bbb
上面的注释,它保留了所有规则.但是在
to the annotations above and it retains all the rules. However in the output of
kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller
我看到类似的日志
{"level":"info","ts":1615287229.3065767,"logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-xxxxc91467c97bbb"}
在入口描述中,我看到了类似事件
and in the ingress describe, I see event like
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedDeployModel 5m2s (x9 over 20m) ingress Failed deploy model due to failed to delete securityGroup: timed out waiting for the condition
因此,如果我在批注中提供安全组,则保留入站规则,但是某些操作会尝试删除不需要的安全组本身.有什么建议吗?
So if I provide the security group in the annotations, the inbound rules are retained but something tries to delete the security group itself which I don't want. Any suggestions?
推荐答案
我也遇到了类似的问题,因此我创建了一个具有所有必要入站规则的新安全组(sg-xxxxxxx042),并将其传递给注释,如下所示.
I had faced similar issues so I created a new security group (sg-xxxxxxx042) with all necessary inbound rules and passed it to annotation as follows.
alb.ingress.kubernetes.io/security-groups:sg-xxxxxxx042
alb.ingress.kubernetes.io/security-groups: sg-xxxxxxx042
除此之外,我还需要向附加到eks worker节点(ec2实例)的安全组中添加一个入站规则
along with that, I needed to add one more inbound rule to security groups attached to the eks worker nodes (ec2 instances)
在我的情况下,安全组名称以附加到实例的eks-remoteAccess-****开头.
In my case security group name starts with eks-remoteAccess-**** which is attached to the instance.
我添加了以下入站规则
Alltraffic全部全部自定义sg-xxxxxxx042
Alltraffic All All custom sg-xxxxxxx042
这篇关于为什么尝试对alb.ingress.kubernetes.io/security-groups批注中提供的安全组进行删除的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!