AWS EKS: Prevent creation of security rule with source 0.0.0.0/0, when installing ingress-nginx helm chart

[Jan1P1Dreher]

Hello,
We are using an AWS EKS cluster. When we install the ingress-nginx helm chart, there are 5 Security group rules created in the AWS Security Group that is associated with the EKS nodes. All of these newly created rules have the Source "0.0.0.0/0". This triggers a security finding due to allowing unrestricted access to incoming traffic.

I have tried to prevent this by setting the following values through a .yaml file, where i have assigned an empty list to "loadBalancerSourceRanges" at every spot where this occurs in the values.yaml file.

controller:
  service:
    externalTrafficPolicy: Local
    sessionAffinity: None
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      service.beta.kubernetes.io/aws-load-balancer-internal: true
      kubernetes.io/ingress.class: "nginx"
    loadBalancerSourceRanges: []
    internal:
      loadBalancerSourceRanges: []
  admissionWebhooks:
    loadBalancerSourceRanges: []
  metrics:
    service:
      loadBalancerSourceRanges: []
  defaultBackend:
    service:
      loadBalancerSourceRanges: []
  config:
    use-forwarded-headers: "true"
    hsts-max-age: "63072000"
  tcp: {}
  udp: {}
  lifecycle:
    preStop:
      exec:
        command: ["/bin/sh", "-c", "sleep 5; /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep -x nginx; do sleep 1; done"]
  terminationGracePeriodSeconds: 600

After adding this values.yaml to my installation, there are now only 3 (instead of 5) security group rules created in AWS. However, i would like to have no additional security groups created, when i install the helm chart.

Is there already a way to prevent the creation of these additional security group rules?

I could not find anything on this topic, however i am not that experienced ingress-nginx. So if i am missing something this might not be a "feature-request".

We use Kubernetes version 1.27

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[longwuyuan]

My opinion is that this needs to be discussed in the sig-networking slack channel. Because

% k explain svc.spec.loadBalancerSourceRanges
KIND:       Service
VERSION:    v1

FIELD: loadBalancerSourceRanges <[]string>

DESCRIPTION:
    If specified and supported by the platform, this will restrict traffic
    through the cloud-provider load-balancer will be restricted to the specified
    client IPs. This field will be ignored if the cloud-provider does not
    support the feature." More info:
    https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
    

[strongjz]

This is not done through ingress-nginx but by the cloud controller.

/close

[k8s-ci-robot]

@strongjz: Closing this issue.

In response to this:

This is not done through ingress-nginx but by the cloud controller.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.