AWS Workshops DIY — EKS Workshop — 13. K8S Networking w/ Amazon VPC CNI — Security Groups for Pods
Hands-on demonstration of how to manage traffic flow with Amazon EC2 Security Groups at Kubernetes Pod level instead of Cluster Node instance level.
This unique and granular access control feature by assigning Amazon EC2 security groups to Kubernetes pods to control access within pods and among pods and external to cluster AWS resources was introduced towards the end of 2020. According to the Introducing security groups for pods blog, it was one of the highly requested features by Amazon EKS customers. Quoting from the Amazon public roadmap:
Tell us about the problem you’re trying to solve. What are you trying to do, and why is it hard?
Although Network Policies with Calico and friends can provide network segmentation within the cluster, we’re missing a straightforward way to control traffic to AWS resources outside of the cluster. For example, I would like to be able to restrict access to RDS instances by referencing the pod SG in the RDS SG.
In this chapter/post, we’ll cover the concepts of how it is accomplished and demonstrate communication between application pods and managed Amazon RDS service.
