hands-on lab

Using Security Groups for Pods in Amazon EKS

Intermediate
Up to 2h
375
3.4/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

Containerized applications frequently require access to other services running within the cluster as well as external AWS services, such as Amazon Relational Database Service (RDS).

On AWS, controlling network-level access between services is often accomplished via security groups.

Early versions of EKS only allowed you to assign security groups at the node level. Because all nodes inside a node group share the security group, by attaching the security group to access the RDS instance to the node group in the image below, all the pods running on these nodes would have access to the database even if only the green pod should have access:

sg-per-pod_1

Security groups for pods integrate Amazon EC2 security groups with Kubernetes pods. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from pods that you deploy to nodes running on many Amazon EC2 instance types. In this lab, you will learn how to integrate security groups with an EKS cluster to access an RDS database and demonstrate the effect of Pod security groups as shown in the following environment diagram:

sg-per-pod_3

Learning Objectives

Upon completion of this lab, you will be able to:

  • Configure Amazon EKS node groups to use trunk network interfaces to enable pod security groups
  • Use SecurityGroupPolicy custom resources to select pods that are associated with security groups
  • Identify network interfaces protected by security groups
  • Demonstrate the effects of security groups per pod

Intended Audience

  • Kubernetes practitioners, especially those working with Amazon EKS
  • DevOps Engineers
  • SREs

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Basic Linux command line administration
  • Basic Kubernetes and Container-based concepts
  • Familiarity with AWS resources including VPCs and security groups

The following content can be used to fulfill the prerequisite:

Updates

December 5th, 2023 - Updated Kubernetes version

February 28th, 2023 - Updated to k8s 1.24

About the author
Avatar
Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Students
216,238
Labs
223
Courses
9
Learning paths
56

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics
Lab steps
Logging In to the Amazon Web Services Console
Connecting to the Virtual Machine using EC2 Instance Connect
Installing Kubernetes Management Tools and Utilities
Introducing Security Groups for Pods
Creating and Configuring the Security Groups
Creating the RDS Database
Configuring the CNI
Creating a SecurityGroupPolicy Custom Resource
Testing the SecurityGroupPolicy
Cleaning up the Pod Security Group Lab Resources