eks calico allow inbound from aws classic elb to pod

10/10/2018

I'm trying to set up network policies to allow only inbound traffic from the aws classic load balancer to the pods. Nothing else should be able to talk to the pods which includes any pod replicas. I've configured the following but it does not work. Any ideas what I'm missing? As soon as I apply this, the health checks on the load balancer fail.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: a-b-c1
  labels:
    app: a-b-c1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: a-b-c1
  template:
    metadata:
      labels:
        app: a-b-c1
    spec:
      containers:
      - name: a-b-c1
        image: image:latest
        ports:
        - name: http-server1
          containerPort: 80
        resources:
          requests:
            cpu: 0.5
---
kind: Service
apiVersion: v1
metadata:
  name: a-b-c-elb1
  labels:
    app: a-b-c1
    name: a-b-c1-elb
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "environment=eks"
spec:
  ports: 
    - port: 80
      targetPort: http-server1
  selector:
    app: a-b-c1
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-elb
spec:
  podSelector:
    matchLabels:
      app: a-b-c1
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          name: a-b-c1-elb
-- kgmc
amazon-eks
aws-eks
kubernetes
project-calico

1 Answer

10/10/2018

I don't think this is possible in AWS.

In this network policy you are limiting ingress to pods labelled with a-b-c1-elb, but this doesn't represent the service, this only represent an hypothetic pod with label name: a-b-c1-elb (it is a podSelector not a serviceSelector, that sadly doesn't exist).

A network policy allows matching traffic with a pod selector, a namespace selector or/and a block of IPs. In your case, the only one that could do the job is the block of IPs. You could limit the traffic to the IP of the load balancer and that would do the trick.

But, in AWS the load balancers have ephemeral IPs, that changes whenever they want, so it is not possible to limit the traffic to the load balancer. The most you could get is to limit the traffic to the subnet's CIDR.

-- Ignacio Millán
Source: StackOverflow