How do I configure a security group for AWS Fargate Pods in my Amazon EKS cluster?

2 minute read

I want to configure a security group for my AWS Fargate Pods in my Amazon Elastic Kubernetes Service (Amazon EKS) cluster. I want to use the security group to control inbound and outbound network traffic.

Short description

You can use security groups for individual Pods to attach your custom Amazon Elastic Compute Cloud (Amazon EC2) security groups to your Fargate Pods in your Amazon EKS cluster. These attached security groups restrict inbound and outbound network traffic to and from Fargate Pods.

By default, Fargate Pods are automatically configured to use the cluster security group to communicate with the Kubernetes control plane. You can use security groups to configure rules for inbound and outbound network traffic to and from Fargate Pods.

The security groups that you specify for your Fargate Pods must meet the following criteria:

They must have rules that allow the Pods to communicate with the Kubernetes control plane. Make sure to specify the cluster security group as one of the security groups.
They must have the necessary inbound and outbound rules to communicate with other Pods or endpoints. For example, they must have an outbound rule to CoreDNS Pods with TCP/UDP 53 port for name resolution.

Resolution

To apply security groups to your Fargate Pods, complete the following steps:

Deploy an Amazon EKS security group policy to your cluster.
Example:

apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: my-security-group-policy
  namespace: my-namespace
spec:
  podSelector: 
    matchLabels:
      role: my-role
  securityGroups:
    groupIds:
      - my_pod_security_group_id

Note: Replace my-security-group-policy, my-namespace, my-role, and my-pod-security-group-id with the values from your configuration. You can use serviceAccountSelector instead of podSelector.

Deploy your application with a label that matches SecurityGroupPolicy.
Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
  namespace: my-namespace
  labels:
    app: my-app
spec:
  replicas: 4
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
        role: my-role
    spec:
      terminationGracePeriodSeconds: 120
      containers:
      - name: nginx
        image: public.ecr.aws/nginx/nginx:1.23
        ports:
        - containerPort: 80

Confirm that your Pods use Pod security groups. If they do, then fargate.amazonaws.com/pod-sg is included in the annotation. Run the following command:

kubectl describe pod pod name -n <namespace> | grep fargate.amazonaws.com/pod-sg
                      fargate.amazonaws.com/pod-sg: my_pod_security_group_id,...

Note: Replace pod-name with your Pod's name, and my_pod_security_group_id with your Pod's security group ID.

Related information

Introducing security groups for Pods

Topics: Containers
Tags: Amazon Elastic Kubernetes Service
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Pods in Fargate stuck PENDING when using pod security groups
BikesAndBBQ
asked 2 years ago
EKS Fargate: restrict access to service to only certain pods
chenyang-nirovision
asked 4 years ago
Clarification on Configuring Karpenter with Security Groups for Pods to Reflect the Real MaxPods Count
3issa Al Msirdi
asked 14 days ago
Does EKS Auto Mode support Security Groups Per Pod?
Accepted Answer
Hans Barnard
asked 6 months ago
EKS FARGATE ONE POD ONE NODE
Joash
asked 3 years ago
How can I troubleshoot Amazon EKS pods on AWS Fargate that are stuck in a Pending state?
AWS OFFICIALUpdated 2 years ago
How do I check if AWS Fargate OS patching deleted my pods or nodes?
AWS OFFICIALUpdated 2 years ago
FAQs: Fargate Pod eviction notice
AWS OFFICIALUpdated 9 months ago
How do I increase the nofile and nproc limits for AWS Fargate pods in Amazon EKS?
AWS OFFICIALUpdated 2 years ago
Enhancing the security of your workloads with private Amazon EKS clusters
AWS OFFICIALUpdated 3 months ago