I'm trying to create an ElasticLoadBalancer for a Kubernetes cluster running on EKS. I would like to avoid creating a new security group and instead use one that I specify. From the Kubernetes source code (below) it appears that I can accomplish this by setting c.cfg.Global.ElbSecurityGroup
.
func (c *Cloud) buildELBSecurityGroupList(...) {
var securityGroupID string
if c.cfg.Global.ElbSecurityGroup != "" {
securityGroupID = c.cfg.Global.ElbSecurityGroup
} else {
...
}
...
}
How can I set the Kubernetes global config value ElbSecurityGroup
?
Related and outdated question: Kubernetes and AWS: Set LoadBalancer to use predefined Security Group
As mentioned in kops documentation you can do it by editing kops cluster configuration:
WARNING: this works only for Kubernetes version above 1.7.0.
To avoid creating a security group per elb, you can specify security group id, that will be assigned to your LoadBalancer. It must be security group id, not name. api.loadBalancer.additionalSecurityGroups
must be empty, because Kubernetes will add rules per ports that are specified in service file. This can be useful to avoid AWS limits: 500 security groups per region and 50 rules per security group.
spec:
cloudConfig:
elbSecurityGroup: sg-123445678