Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4811

Support for "service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules" NLB SVC annotation

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      The NLB SVC can be created in the AWS IPI/UPI cluster where the cloud-controller-manager creates the NLB over AWS and also creates an inbound rule in the master and worker security group allowing traffic from the newly created LoadBalancer.

      Many of the customers heavily rely on LB type SVC instead of the OCP routes and as expected the security group rule limit is reached where if any more LoadBalancer type SVCs are created, the LoadBalancer can't be provisioned by CCM as the new rule can't be created in master and worker SG.

      As per the annotations specified in the GitHub link, the "service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules" annotation can be used to indicate CCM not to create the rule automatically and instead customers can themselves create the rule in different security group and manage it manually.

      --> https://github.com/openshift/aws-load-balancer-controller/blob/54f88971f8ac73b07718d56d2ab4ba1f09ddebf4/docs/guide/service/annotations.md#annotations

       

      Only resolution for now is to untag the original SGs, create new SGs with the AWS tag for OpenShift, associate the new SGs with instances where the rules will be getting added in new SGs and old SGs will take care of existing LBs and rules.

              rh-ee-smodeel Subin M
              rhn-support-aygarg Ayush Garg
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: