Kubernetes and AWS: Set LoadBalancer to use predefined Security Group

Andonaeus picture Andonaeus · Jan 12, 2016 · Viewed 10.4k times · Source

As the title says, I am looking for a way to force a LoadBalancer service to use a predefined security group in AWS. I do not want to have to manually edit the inbound/outbound rules of the security group that is created for the ELB by Kubernetes. I have not been able to find anything within the documentation, nor have I located anything that works elsewhere online. Here is my current template:

apiVersion: v1
kind: Service
metadata:
  name: ds-proxy
spec:
  type: LoadBalancer
  ports:
  - port: 8761 # the port that this service should serve on
    targetPort: 8761
    protocol: TCP
  selector:
    app: discovery-service

Answer

Keyan P picture Keyan P · Oct 27, 2016

You cannot prevent Kubernetes from creating a new security group. But since Andonaeus' answer was submitted a new feature has been added which allows for explicitly defining inbound permissions via your service's configuration file.

See the user guide details for the specifics. The example provided there shows that by using spec.loadBalancerSourceRanges you can provide allow inbound IPs:

In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
    - port: 8765
      targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 130.211.204.2/32