Using Security Groups for Pods in Amazon EKS

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Connecting to the Virtual Machine using EC2 Instance Connect
lock
Installing Kubernetes Management Tools and Utilities
lock
Introducing Security Groups for Pods
lock
Creating and Configuring the Security Groups
lock
Creating the RDS Database
lock
Configuring the CNI
lock
Creating a SecurityGroupPolicy Custom Resource
lock
Testing the SecurityGroupPolicy
lock
Cleaning up the Pod Security Group Lab Resources

The hands-on lab is part of this learning path

Ready for the real environment experience?

DifficultyIntermediate
Time Limit2h
Students27

Description

Containerized applications frequently require access to other services running within the cluster as well as external AWS services, such as Amazon Relational Database Service (RDS).

On AWS, controlling network-level access between services is often accomplished via security groups.

Early versions of EKS only allowed you to assign security groups at the node level. Because all nodes inside a node group share the security group, by attaching the security group to access the RDS instance to the node group in the image below, all the pods running on these nodes would have access to the database even if only the green pod should have access:

sg-per-pod_1

Security groups for pods integrate Amazon EC2 security groups with Kubernetes pods. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from pods that you deploy to nodes running on many Amazon EC2 instance types. In this lab, you will learn how to integrate security groups with an EKS cluster to access an RDS database and demonstrate the effect of Pod security groups as shown in the following environment diagram:

sg-per-pod_3

Learning Objectives

Upon completion of this lab, you will be able to:

  • Configure Amazon EKS node groups to use trunk network interfaces to enable pod security groups
  • Use SecurityGroupPolicy custom resources to select pods that are associated with security groups
  • Identify network interfaces protected by security groups
  • Demonstrate the effects of security groups per pod

Intended Audience

  • Kubernetes practitioners, especially those working with Amazon EKS
  • DevOps Engineers
  • SREs

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Basic Linux command line administration
  • Basic Kubernetes and Container-based concepts
  • Familiarity with AWS resources including VPCs and security groups

The following content can be used to fulfill the prerequisite:

About the Author
Students117501
Labs184
Courses9
Learning paths30

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.