aws-load-balancer-controller: wrong SG port for TargetGroupBindings in instance mode

Hello!

When configuring a targetGroupBinding for a Target Group in instance mode, it registers every K8s node with the service NodePort (31000 plus X).

But the security Groups generated are for the port of the service. Example:

apiVersion: v1
kind: Service
metadata:
  name: someservice
spec:
  selector:
    name: stateservice
  type: NodePort
  ports:
  - name: mqtt
    protocol: TCP
    port: 1883
    targetPort: 1883
---
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
  name: someservice
spec:
  serviceRef:
    name: someservice
    port: 1883
  targetGroupARN: arn:aws:elasticloadbalancing:eu-central-1:xxx
  # targetType: instance # setting this makes no difference
  networking:
    ingress:
    - from:
      - ipBlock:
          cidr: 10.41.0.0/16
      ports:
      - port: 1883
        protocol: TCP

Indeed it creates a security group rule allowing port 1883 from 10.41.0.0/16. But K8s assigns e.g. a nodeport of 31252 to the service, so the security group rule should use that port… or am I missing something?

The documentation (https://kubernetes-sigs.github.io/aws-load-balancer-controller/guide/targetgroupbinding/spec/#elbv2.k8s.aws/v1beta1.NetworkingPort) states " if port is unspecified, it defaults to all ports.". But if I set

     ports: []

No security group rule is created at all.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 25 (1 by maintainers)

Most upvoted comments

FYI: as a workaround, I specified the NodePort in the service and added it to the ports list. But I’d prefer the automatic port assignment by K8s, to avoid conflicts.

+1
MartinEmrich on Dec 4, 2020
Read more comments on GitHub
← aws-load-balancer-controller: [v2] Error when there are multiple certificates for a host
azuredisk-csi-driver: Driver install fails on Azure RedHat OpenShift →