EKS Fargate: restrict access to service to only certain pods


We have an EKS Cluster in ap-southeast-2 region. The Kubernetes version is 1.20 and the Platform version is eks.3.

We want to restrict access to service to only certain Pods. For example, we have serviceA and serviceB, how would we configure a Pod so that Pod can only access to serviceA not serviceB?

I know the NetworkPolicy can do the job, but as far as I know the NetworkPolicy resource requires Calico CNI which is not supported by EKS Fargate. EKS Fargate seems to offer SecurityGroupPolicy but I don't think there's a way to attach SecurityGroupPolicy to a Service.

asked 2 years ago786 views
1 Answer

Have you tried using the k8s service accounts(user roles with RBAC) with appropriate access to the other in-cluster service. Additionally you could associate them with IAM roles in case you need access to AWS services outside cluster using what is known as IAM Roles for Service Accounts(IRSA)

answered 2 years ago
  • Thanks for your reply Madhav. Yes, we actually tried RBAC. But I don't think it worked. Our scenario is we have serviceA called service-a and serviceB called service-b. Both expose port 8080. We only want a Pod to be able to curl service-a:8080 but not curl service-b:8080. Correct me if I'm wrong.. I think RBAC can only restrict the Kubernetes API access but it cannot restrict HTTP calls to services?

  • You can use security groups with the Container Network Interface (CNI): https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions