-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External load balancer via targetGroupARN does not modify the security group to allow traffic from load balancer #3703
Comments
@prakashbalaji hey, was the load balancer created successfully? were you trying to create a NLB or ALB? |
@oliviassss - This is the case of we creating load balancer externally outside of the controller. We used terraform to provision the load balancer and we are using ALB here. The issue is that the pods are getting registered as targets to the load balancer but the EKS node security group rules are not amended to allow traffic from the load balancer. When the controller creates the load balancer it augments the security group rules. |
@prakashbalaji, sorry I missed that. |
Thanks @oliviassss for the response, I can for sure tell you that the security group rules are not amended for the self managed lb. As I think more, it seems right for the controller not to manage the security group as we create the load balancer and security group outside and we are supposed to allow traffic from load balancer to EKS node, I think this issue can be closed as we are taking that approach and also it would be good to document it in the notes about security groups. The linked article does not talk about security groups and hence the confusion. Thanks for your inputs btw. |
Thanks for the confirmation. |
@prakashbalaji |
Describe the bug
The pods are getting registered to the targetGroupARN specified correctly but the. security groups in the nodes are not adjusted to allow the traffic from the load balancer. Even specifically passing security group with ingress annotation is not helping.
Is this an bug here? if this is not a bug what is the correct way to adjust the node security group to allow traffic from load balancer for external load balancer.
Steps to reproduce
Expected outcome
Should security group of node be adjusted to allow traffic from load balancer for external load balancer?
Environment
AWS Load Balancer controller version : v2.7.2
Kubernetes version v1.29.3-eks-adc7111
Using EKS (yes/no), if so version? yes - v1.29.3-eks-adc7111
Additional Context:
For cases when the load balancer is created by the controller, the node security groups are adjusted correctly to allow traffic from load balancer.
The text was updated successfully, but these errors were encountered: