使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

EKS Fargate: restrict access to service to only certain pods

0

We have an EKS Cluster in ap-southeast-2 region. The Kubernetes version is 1.20 and the Platform version is eks.3.

We want to restrict access to service to only certain Pods. For example, we have serviceA and serviceB, how would we configure a Pod so that Pod can only access to serviceA not serviceB?

I know the NetworkPolicy can do the job, but as far as I know the NetworkPolicy resource requires Calico CNI which is not supported by EKS Fargate. EKS Fargate seems to offer SecurityGroupPolicy but I don't think there's a way to attach SecurityGroupPolicy to a Service.

主题
无服务器容器
标签
AWS Fargate亚马逊弹性 Kubernetes 服务
语言
English
chenyang-nirovision
已提问 2 年前821 查看次数
1 回答
0

Have you tried using the k8s service accounts(user roles with RBAC) with appropriate access to the other in-cluster service. Additionally you could associate them with IAM roles in case you need access to AWS services outside cluster using what is known as IAM Roles for Service Accounts(IRSA)

AWS
Madhav_P
已回答 2 年前
  • chenyang-nirovision
    2 年前

    Thanks for your reply Madhav. Yes, we actually tried RBAC. But I don't think it worked. Our scenario is we have serviceA called service-a and serviceB called service-b. Both expose port 8080. We only want a Pod to be able to curl service-a:8080 but not curl service-b:8080. Correct me if I'm wrong.. I think RBAC can only restrict the Kubernetes API access but it cannot restrict HTTP calls to services?

  • Rodney Lester
    2 年前

    You can use security groups with the Container Network Interface (CNI): https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容