はじめに
以下によると、Fargateのpodへのセキュリティグループの設定が可能になったらしいです。
https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
実際に設定し、動作を確認しました。
検証方法
nginxのpodをEKSクラスター上に2つ起動し、セキュリティグループ適用前と後で通信を比較しました。
- AWSのセキュリティグループについて
- インバウンド:設定なし(全通信遮断)
- アウトバウンド:すべて許可
pod情報
podを起動するために使用するmanifest fileの情報は以下です。
nginx1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
labels:
name: nginx1
app: nginx1
spec:
replicas: 1
selector:
matchLabels:
app: nginx1
template:
metadata:
labels:
app: nginx1
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
nginx2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
上記manifest fileを使用してpodを起動します。
$ kubectl apply -f nginx1.yaml -f nginx2.yaml
deployment.apps/nginx1 created
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 117s 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-6775f69cc6-fvxpd 1/1 Running 0 117s 10.2.62.78 fargate-ip-10-2-62-78.ap-northeast-1.compute.internal <none> <none>
起動しましたね。
通信確認のため、nginx1 -> nginx2に対してcurlでリクエストを送ります。
$ kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.62.78
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
nginx2 -> nginx1も同様に確認します。
$ kubectl exec -it nginx2-6775f69cc6-fvxpd -- curl 10.2.45.218
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
podへセキュリティグループ設定
次に、podにセキュリティグループを設定するために以下のmanifestをapplyします。
sg-policy.yaml
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: security-policy-test
namespace: default
spec:
podSelector:
matchLabels:
role: nginx2 ★label名は例なのでroleである必要はないです。
securityGroups:
groupIds:
- sg-xxxxxxxx
.spec.template.metadata.labelsにrole: nginx2を追記し、再度applyします
nginx2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
role: ngin2 ★追記
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
applyします。
$ kubectl apply -f sg-policy.yaml
securitygrouppolicy.vpcresources.k8s.aws/security-policy-test created
$ kubectl get sgp
NAME SECURITY-GROUP-IDS
security-policy-test ["sg-xxxxxxxx"]
$ kubectl apply -f nginx2.yaml
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 117s 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-7d68c8456-4lbmr 1/1 Running 0 117s 10.2.36.251 fargate-ip-10-2-36-251.ap-northeast-1.compute.internal <none> <none>
動作確認
再度nginx1 -> nginx2へcurlを実行します。
kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.36.251
curl: (7) Failed to connect to 10.2.36.251 port 80: Connection timed out
role: nginx2のラベルがついているnginx2のpodに対してセキュリティグループが適用されている状態となります。
セキュリティグループのインバウンドは何も設定されておらず、すべての通信を拒否するので通信はタイムアウトしました!
nginx2のmanifestのlabelを修正
nginx2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx2
labels:
name: nginx2
app: nginx2
spec:
replicas: 1
selector:
matchLabels:
app: nginx2
template:
metadata:
labels:
app: nginx2
role: nginx ★修正
spec:
containers:
- name: nginx
image: nginx:1.19.2
ports:
- containerPort: 80
再度applyし、nginx1 -> nginx2へcurlを実行します。
$ kubectl apply -f nginx2.yaml
deployment.apps/nginx2 created
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1-6b86d9bbbf-2q67v 1/1 Running 0 125m 10.2.45.218 fargate-ip-10-2-45-218.ap-northeast-1.compute.internal <none> <none>
nginx2-7d68c8456-t72zn 1/1 Running 0 4m11s 10.2.63.222 fargate-ip-10-2-63-222.ap-northeast-1.compute.internal <none> <none>
$ kubectl exec -it nginx1-6b86d9bbbf-2q67v -- curl 10.2.63.222
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ラベル名を修正することでnginx2のpodにセキュリティグループが適用されなくなり再度通信が可能になりました!