Increase the maximum number of Security Group rules the controller can create #2252
Comments
|
@dickeyf, thanks for reporting the issue. We cannot increase SG rule quotas beyond the current AWS limit, however I'm working on options to optimize SG rules for NLB as well. /kind feature |
k8s-ci-robot
added
the
kind/feature
Is there an issue for this, or a PR? I'm interested to know what those options are. |
|
This issue seems to address the same problem: Optimized security group rules #2118 I understand that once AWS allows assigning Security Group to the NLBs, you will extend the same restricted port ranges behavior to the NLBs. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is your feature request related to a problem?
The Controller needs to create many rules in the Security Group of the Worker Node's ENIs when it create an instance-type NLB or ip-type NLB.
The instance type NLB requires considerably more rules as the backend ports are NodePort which are unique, unlike ip-type back port that tends to have standard values such as
80or443.Describe the solution you'd like
The Security Groups have a maximum number of rules of
60by default, which can be increased to200easily. Increasing this limit beyond200requires the decrease of another limit:security group per ENIwhich is5by default.Increasing the limit to
200will help, but it is still not enough.The solution I'd like is that the Controller would add additional Security groups to the worker nodes when there aren't space anymore in the current Security Groups. This would allow increasing the limit to 1000 by spanning these rules over the max number of 5 SGs per ENI.
Describe alternatives you've considered
Increasing the quota beyond
200, and accepting a lower SG per ENI quota.Since increasing this quota beyond
200reduces the number of SG per ENI, it's not ideal, as this might affect other components in the same region/account.There was also PR #2245 which was considered. It optimizes the rules by merging them into ranges for each unique CIDR source. However this was not ideal from a security standpoint as the optimization allows one LB's rules to overwrite another's.
The text was updated successfully, but these errors were encountered: