EKS Fargate: restrict access to service to only certain pods

We have an EKS Cluster in ap-southeast-2 region. The Kubernetes version is 1.20 and the Platform version is eks.3.

We want to restrict access to service to only certain Pods. For example, we have serviceA and serviceB, how would we configure a Pod so that Pod can only access to serviceA not serviceB?

I know the NetworkPolicy can do the job, but as far as I know the NetworkPolicy resource requires Calico CNI which is not supported by EKS Fargate. EKS Fargate seems to offer SecurityGroupPolicy but I don't think there's a way to attach SecurityGroupPolicy to a Service.

주제

서버리스 컨테이너

태그

AWS Fargate 아마존 Elastic Kubernetes 서비스

언어

English

chenyang-nirovision

질문됨 2년 전820회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

Have you tried using the k8s service accounts(user roles with RBAC) with appropriate access to the other in-cluster service. Additionally you could associate them with IAM roles in case you need access to AWS services outside cluster using what is known as IAM Roles for Service Accounts(IRSA)

Madhav_P

답변함 2년 전

chenyang-nirovision
2년 전
Thanks for your reply Madhav. Yes, we actually tried RBAC. But I don't think it worked. Our scenario is we have serviceA called service-a and serviceB called service-b. Both expose port 8080. We only want a Pod to be able to curl service-a:8080 but not curl service-b:8080. Correct me if I'm wrong.. I think RBAC can only restrict the Kubernetes API access but it cannot restrict HTTP calls to services?
Rodney Lester
2년 전
You can use security groups with the Container Network Interface (CNI): https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

EKS Fargate: restrict access to service to only certain pods

관련 콘텐츠