Using Security Groups for Pods in Amazon EKS
Containerized applications frequently require access to other services running within the cluster as well as external AWS services, such as Amazon Relational Database Service (RDS).
On AWS, controlling network-level access between services is often accomplished via security groups.
Early versions of EKS only allowed you to assign security groups at the node level. Because all nodes inside a node group share the security group, by attaching the security group to access the RDS instance to the node group in the image below, all the pods running on these nodes would have access to the database even if only the green pod should have access:
Security groups for pods integrate Amazon EC2 security groups with Kubernetes pods. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from pods that you deploy to nodes running on many Amazon EC2 instance types. In this lab, you will learn how to integrate security groups with an EKS cluster to access an RDS database and demonstrate the effect of Pod security groups as shown in the following environment diagram:
Upon completion of this lab, you will be able to:
- Configure Amazon EKS node groups to use trunk network interfaces to enable pod security groups
- Use SecurityGroupPolicy custom resources to select pods that are associated with security groups
- Identify network interfaces protected by security groups
- Demonstrate the effects of security groups per pod
- Kubernetes practitioners, especially those working with Amazon EKS
- DevOps Engineers
Familiarity with the following will be beneficial but is not required:
- Basic Linux command line administration
- Basic Kubernetes and Container-based concepts
- Familiarity with AWS resources including VPCs and security groups
The following content can be used to fulfill the prerequisite:
- Linux Command Line Byte Session learning path
- Introduction to Kubernetes learning path
- Working with AWS Networking and Amazon VPC course
December 5th, 2023 - Updated Kubernetes version
February 28th, 2023 - Updated to k8s 1.24
Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.