From 9f62e81be59fe5b5e15ee06a4178e689d8a0a02e Mon Sep 17 00:00:00 2001 From: James Ravn and Yoseph Samuel Date: Tue, 9 Feb 2016 15:16:55 +0000 Subject: [PATCH] Disable aws node security group ingress creation Add aws cloud config: [global] disableSecurityGroupIngress = true The aws provider creates an inbound rule per load balancer on the node security group. However, this can quickly run into the AWS security group rule limit of 50. This disables the automatic ingress creation. It requires that the user has setup a rule that allows inbound traffic on kubelet ports from the local VPC subnet (so load balancers can access it). E.g. `10.82.0.0/16 30000-32000`. Limits: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html#vpc-limits-security-groups Authors: @jsravn, @balooo --- pkg/cloudprovider/providers/aws/aws.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go index adad77bfed..79e8eb851b 100644 --- a/pkg/cloudprovider/providers/aws/aws.go +++ b/pkg/cloudprovider/providers/aws/aws.go @@ -218,6 +218,15 @@ type AWSCloudConfig struct { Zone string KubernetesClusterTag string + + //The aws provider creates an inbound rule per load balancer on the node security + //group. However, this can run into the AWS security group rule limit of 50 if + //many LoadBalancers are created. + // + //This flag disables the automatic ingress creation. It requires that the user + //has setup a rule that allows inbound traffic on kubelet ports from the + //local VPC subnet (so load balancers can access it). E.g. 10.82.0.0/16 30000-32000. + DisableSecurityGroupIngress bool } } @@ -2090,6 +2099,10 @@ func findSecurityGroupForInstance(instance *ec2.Instance) *string { // Open security group ingress rules on the instances so that the load balancer can talk to them // Will also remove any security groups ingress rules for the load balancer that are _not_ needed for allInstances func (s *AWSCloud) updateInstanceSecurityGroupsForLoadBalancer(lb *elb.LoadBalancerDescription, allInstances []*ec2.Instance) error { + if s.cfg.Global.DisableSecurityGroupIngress { + return nil + } + // Determine the load balancer security group id loadBalancerSecurityGroupId := "" for _, securityGroup := range lb.SecurityGroups {