skip to Main Content

I have an AWS EKS version 1.26 cluster up and hosting a Java application. I am managing ingress configurations by running a ingress-nginx controller version 4.5.2. Through ingress-nginx I have configured an external NLB with the following configuration yaml file and helm command:

external-controller.yaml

defaultBackend:
  nodeSelector:
    kubernetes.io/os: "linux"

controller:
  replicaCount: 2
  nodeSelector:
    kubernetes.io/os: "linux"
  ingressClassResource:
    name: nginx-ext
    enabled: true
    default: false
    controllerValue: "example.com/ingress-nginx-ext"
  ingressClass: nginx-ext
  ingressClassByName: true
  service:
    # Enable the external LB
    external:
      enabled: true
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: "false"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
      service.beta.kubernetes.io/aws-load-balancer-type: nlb

Helm command

 helm install "ext-nginx-ingress-controller" ingress-nginx/ingress-nginx 
 --namespace "ext-ingress" 
 --version 4.5.2 
 -f "external-controller.yaml"

Executing this helm command results in the creation of a internet-facing NLB, which is exactly what I want. That said what is not to my liking is that in the AWS console if I check the Security tab under this NLB I just created I see the following message:

No security group associated

Because this load balancer was created without a security group, these settings can’t be changed. To utilize security groups, ensure that one is specified during creation of the load balancer.

What do I need to add to external-controller.yaml to get a security groups associated to my NLB at creation time?

Any help is appreciated, thanks.

2

Answers


  1. What about this annotation?

      service.beta.kubernetes.io/aws-load-balancer-security-groups: SECURITY_GROUP
    

    Citing official AWS page:

    The controller allows you to specify existing security groups through a Kubernetes annotation called service.beta.kubernetes.io/aws-load-balancer-security-groups.

    When this annotation is added to the Service, the controller attaches the security groups referenced by the annotation. This effectively allows your security team to manage the security groups assigned to the load balancer…

    Aws.amazon.com: Blogs: Containers: Network load balancer now support security groups


    Additional resources:

    Login or Signup to reply.
  2. Sorry, not an answer. I cannot comment since I do not have enough reputation 😐
    @nabello, have you figured out how to do this ?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search