Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefix-list is not updating in the SG rule #4040

Open
sowmya-parsi opened this issue Feb 4, 2025 · 1 comment
Open

Prefix-list is not updating in the SG rule #4040

sowmya-parsi opened this issue Feb 4, 2025 · 1 comment

Comments

@sowmya-parsi
Copy link

Bug Description

Hi Team,

We have a prefix-list and we want to allow the traffic only from this list, so we have used service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists: pl-xxxxxx annotation. But this configuration is adding rules with 0.0.0.0/0 as source ranges in the security group. I can confirm that we have not reached the limit of no. of rules in a SG. Below is the configuration of our service and we are using v2.9.1 version of aws-loadbalancer-controller -

`apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: bitbucket
meta.helm.sh/release-namespace: bitbucket
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: xxxxxxxxxxxxxxxxxx
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxxxxx,subnet-xxxxxxxxxx
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Application=xxxxxx,Environment=dev,Name=xxxx-clb-external,Owner=xxx
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.timeout_seconds=300
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.connection_termination.enabled=true
service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists: pl-xxxxxx
labels:
app.kubernetes.io/instance: helm
app.kubernetes.io/name: xxxxx
name: xxxxx-clb-external
namespace: bitbucket
spec:
externalTrafficPolicy: Local
ports:

  • name: http
    port: 80
    protocol: TCP
    targetPort: http
  • name: ssh
    port: 7999
    protocol: TCP
    targetPort: ssh
  • name: https
    port: 443
    protocol: TCP
    targetPort: http
    selector:
    app.kubernetes.io/instance: xxxxx-k8s-application-helm
    app.kubernetes.io/name: xxxxx
    sessionAffinity: None
    type: LoadBalancer`

Expected Behavior

This has to add the SG rule with source as the prefix-list

Actual Behavior

Adding 0.0.0.0/0 as source in the SG rules

Environment

  • AWS Load Balancer controller version: 2.9.1
  • Kubernetes version: 1.29
  • Using EKS (yes/no), if so version?: 1.29
  • Using Service or Ingress: Service
  • AWS region: us-east-1
@wweiwei-li
Copy link
Collaborator

This service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists has been supported since release v2.8.0. It should work as you are using v2.9.1.

Can you provide your controller logs and check if there is any error message ? I can reproduce it only when I added a prefix id that did not exist and got api error InvalidPrefixListID.NotFound. Can you make sure this is not happening to you ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sowmya-parsi @wweiwei-li