EKS Fargate: restrict access to service to only certain pods

We have an EKS Cluster in ap-southeast-2 region. The Kubernetes version is 1.20 and the Platform version is eks.3.

We want to restrict access to service to only certain Pods. For example, we have serviceA and serviceB, how would we configure a Pod so that Pod can only access to serviceA not serviceB?

I know the NetworkPolicy can do the job, but as far as I know the NetworkPolicy resource requires Calico CNI which is not supported by EKS Fargate. EKS Fargate seems to offer SecurityGroupPolicy but I don't think there's a way to attach SecurityGroupPolicy to a Service.

トピック

サーバーレスコンテナ

タグ

AWS Fargate Amazon Elastic Kubernetes Service

言語

English

chenyang-nirovision

質問済み 2年前821ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

Have you tried using the k8s service accounts(user roles with RBAC) with appropriate access to the other in-cluster service. Additionally you could associate them with IAM roles in case you need access to AWS services outside cluster using what is known as IAM Roles for Service Accounts(IRSA)

Madhav_P

回答済み 2年前

chenyang-nirovision
2年前
Thanks for your reply Madhav. Yes, we actually tried RBAC. But I don't think it worked. Our scenario is we have serviceA called service-a and serviceB called service-b. Both expose port 8080. We only want a Pod to be able to curl service-a:8080 but not curl service-b:8080. Correct me if I'm wrong.. I think RBAC can only restrict the Kubernetes API access but it cannot restrict HTTP calls to services?
Rodney Lester
2年前
You can use security groups with the Container Network Interface (CNI): https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

EKS Fargate: restrict access to service to only certain pods

関連するコンテンツ