I have a TCP service that runs on via a Kubernetes Deployment on an AWS EKS cluster and is exposed to the internet by a Service of type LoadBalancer using the following definition
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
name: tcpservice
spec:
selector:
app: tcpapp
type: LoadBalancer
ports:
- port: 4453
targetPort: 4453
name: tcpport
Because the load balancer type is NLB, the ingress traffic has to be explicitly allowed on the security group that is applied to the nodes themselves. The security group was created like this:
✔ ~$ aws ec2 describe-security-groups --group-ids sg-2645567125762c6e2 | jq '.SecurityGroups[0].IpPermissions[0]'
{
"FromPort": 32163,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "10.20.0.0/20",
"Description": "kubernetes.io/rule/nlb/health=afd5427b6058811ea989512627425a2e"
},
{
"CidrIp": "0.0.0.0/0",
"Description": "kubernetes.io/rule/nlb/client=afd5427b6058811ea989512627425a2e"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 32163,
"UserIdGroupPairs": []
}
So now I need to change the CidrIp in the "0.0.0.0/0" to a different block. How can I do this using kubernetes manifests? I've looked at the NetworkPolicy and Calico documentation, but this controls traffic to pods not services. I can change it with the AWS API or manually, but those changes are lost when the service is redeployed.
