为什么在 alb.ingress.kubernetes.io/security-groups 注释中提供的安全组上尝试删除 [英] Why delete is attempted on the security group provided in alb.ingress.kubernetes.io/security-groups annotation

问题描述

我有一个 EKS 集群，我正在使用 aws-load-balancer-controller:v2.1.1.我正在使用以下 aws alb 入口

I have an EKS cluster and I am using aws-load-balancer-controller:v2.1.1. I am using the below aws alb ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-alb-ingress
  namespace: myns
  labels: 
    app: myns-alb-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/tags: Team=myteam
    alb.ingress.kubernetes.io/group.name: my-apps
    alb.ingress.kubernetes.io/certificate-arn: arn:xxx
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'

还有一个安全组sg-xxxxc91467c97bbb"描述为[k8s] Managed SecurityGroup for LoadBalancer".

Also there is a security group "sg-xxxxc91467c97bbb" with the description "[k8s] Managed SecurityGroup for LoadBalancer".

我在此安全组中添加了一堆 IP 地址作为入站规则.现在，每当我添加任何主机规则(路径/后端服务)并应用此入口时，此安全组的所有入站规则都会被删除并自动添加 0.0.0.0/0.

I have a bunch of IP addresses added in this Security Group as inbound rules. Now whenever I add any host rules (path/ backend service ) and apply this ingress, all the inbound rules of this security group gets deleted and 0.0.0.0/0 gets added automatically.

如何防止这种情况发生，以便保留入站规则?

我尝试添加

alb.ingress.kubernetes.io/security-groups: sg-xxxxc91467c97bbb

到上面的注释，它保留了所有的规则.但是在

to the annotations above and it retains all the rules. However in the output of

kubectl logs -n kube-system   deployment.apps/aws-load-balancer-controller

我看到类似的日志

{"level":"info","ts":1615287229.3065767,"logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-xxxxc91467c97bbb"}

在入口描述中，我看到类似的事件

and in the ingress describe, I see event like

Events:
  Type     Reason             Age                    From     Message
  ----     ------             ----                   ----     -------
  Warning  FailedDeployModel  5m2s (x9 over 20m)  ingress  Failed deploy model due to failed to delete securityGroup: timed out waiting for the condition

因此，如果我在注释中提供安全组，入站规则将被保留，但某些东西会尝试删除我不想要的安全组本身.有什么建议吗?

So if I provide the security group in the annotations, the inbound rules are retained but something tries to delete the security group itself which I don't want. Any suggestions?

推荐答案

我遇到了类似的问题，因此我创建了一个新的安全组 (sg-xxxxxxx042)，其中包含所有必要的入站规则，并将其传递给注释，如下所示.

I had faced similar issues so I created a new security group (sg-xxxxxxx042) with all necessary inbound rules and passed it to annotation as follows.

alb.ingress.kubernetes.io/security-groups: sg-xxxxxxx042

alb.ingress.kubernetes.io/security-groups: sg-xxxxxxx042

除此之外，我还需要向附加到 eks 工作节点(ec2 实例)的安全组添加一个入站规则

along with that, I needed to add one more inbound rule to security groups attached to the eks worker nodes (ec2 instances)

在我的例子中，安全组名称以附加到实例的 eks-remoteAccess-**** 开头.

In my case security group name starts with eks-remoteAccess-**** which is attached to the instance.

我添加了以下入站规则

Alltraffic All 所有自定义 sg-xxxxxxx042

Alltraffic All All custom sg-xxxxxxx042

这篇关于为什么在 alb.ingress.kubernetes.io/security-groups 注释中提供的安全组上尝试删除的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！