1 回答
- 最新
- 投票最多
- 评论最多
0
Have you tried using the k8s service accounts(user roles with RBAC) with appropriate access to the other in-cluster service. Additionally you could associate them with IAM roles in case you need access to AWS services outside cluster using what is known as IAM Roles for Service Accounts(IRSA)
已回答 2 年前
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
Thanks for your reply Madhav. Yes, we actually tried RBAC. But I don't think it worked. Our scenario is we have serviceA called
service-a
and serviceB calledservice-b
. Both expose port 8080. We only want a Pod to be able tocurl service-a:8080
but notcurl service-b:8080
. Correct me if I'm wrong.. I think RBAC can only restrict the Kubernetes API access but it cannot restrict HTTP calls to services?You can use security groups with the Container Network Interface (CNI): https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html