Set c.cfg.Global.ElbSecurityGroup in Kubernetes

2/25/2019

I'm trying to create an ElasticLoadBalancer for a Kubernetes cluster running on EKS. I would like to avoid creating a new security group and instead use one that I specify. From the Kubernetes source code (below) it appears that I can accomplish this by setting c.cfg.Global.ElbSecurityGroup.

func (c *Cloud) buildELBSecurityGroupList(...) {
    var securityGroupID string

    if c.cfg.Global.ElbSecurityGroup != "" {
            securityGroupID = c.cfg.Global.ElbSecurityGroup
    } else {
            ...
    }
...
}

How can I set the Kubernetes global config value ElbSecurityGroup?

Related and outdated question: Kubernetes and AWS: Set LoadBalancer to use predefined Security Group

-- bphi
amazon-web-services
aws-eks
kubernetes

1 Answer

3/4/2019

As mentioned in kops documentation you can do it by editing kops cluster configuration:

cloudConfig

elbSecurityGroup

WARNING: this works only for Kubernetes version above 1.7.0.

To avoid creating a security group per elb, you can specify security group id, that will be assigned to your LoadBalancer. It must be security group id, not name. api.loadBalancer.additionalSecurityGroups must be empty, because Kubernetes will add rules per ports that are specified in service file. This can be useful to avoid AWS limits: 500 security groups per region and 50 rules per security group.

spec:
  cloudConfig:
    elbSecurityGroup: sg-123445678
-- VAS
Source: StackOverflow