I am using an existing Security Group in security-groups annotation. But while creating ALB through Ingress it is attaching a default SG. Why it is not attaching the existing SG used in my annotation. And I am using alb-ingress-controller.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: "instance"
alb.ingress.kubernetes.io/security-groups: sg-**********
alb.ingress.kubernetes.io/certificate-arn: arn
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
spec:
rules:
- host: host
http:
paths:
- path: /
backend:
serviceName: serviceName
servicePort: 80the actual syntax for annotation is alb.ingress.kubernetes.io/security-groups: sg-xxxx, nameOfSg1, nameOfSg2
You need to create a pair of SGs. One attaching to ELB and other one attaching to worker nodes where the pods are running.
if sg-12345 with Name tag 'elb_sg' is attaching to ELB and 'worker_sg' is attaching to worker nodes, then the annotation should be: alb.ingress.kubernetes.io/security-groups: sg-12345, elb_sg, worker_sg
And dont forget to add inbound on worker_sg to all traffic from elb_sg.
I'm having no issue with specifying an existing Security Group through 'security-groups' annotation (works w/o any problem with aws-alb-ingress-controller in v1.1.2, which one you use ?).
Do you see any errors in alb-ingress controller's Pod while creating new Ingress resource ?
You can check it with following command*:
kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o alb-ingress[a-zA-Z0-9-]+)* might differ a bit in your case, depending on which namespace alb-ingress was deployed into.