问题描述

正如标题所述，我正在寻找一种方法来强制LoadBalancer服务在AWS中使用预定义的安全组.我不想手动编辑Kubernetes为ELB创建的安全组的入站/出站规则.我无法在文档中找到任何内容，也找不到在网上其他地方可以使用的任何内容.这是我当前的模板:

As the title says, I am looking for a way to force a LoadBalancer service to use a predefined security group in AWS. I do not want to have to manually edit the inbound/outbound rules of the security group that is created for the ELB by Kubernetes. I have not been able to find anything within the documentation, nor have I located anything that works elsewhere online. Here is my current template:

apiVersion: v1
kind: Service
metadata:
  name: ds-proxy
spec:
  type: LoadBalancer
  ports:
  - port: 8761 # the port that this service should serve on
    targetPort: 8761
    protocol: TCP
  selector:
    app: discovery-service

推荐答案

您不能阻止Kubernetes创建新的安全组.但是自从提交Andonaeus的答案以来，已添加了一项新功能，该功能允许您通过服务的配置文件显式定义入站权限.

You cannot prevent Kubernetes from creating a new security group. But since Andonaeus' answer was submitted a new feature has been added which allows for explicitly defining inbound permissions via your service's configuration file.

请参见具体的用户指南详细信息.此处提供的示例表明，使用spec.loadBalancerSourceRanges可以提供允许入站IP:

See the user guide details for the specifics. The example provided there shows that by using spec.loadBalancerSourceRanges you can provide allow inbound IPs:

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
    - port: 8765
      targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32

这篇关于Kubernetes和AWS:将LoadBalancer设置为使用预定义的安全组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！