Posted On: Sep 9, 2020

Amazon Elastic Kubernetes Service (EKS) customers can now leverage EC2 security groups to secure applications with different network security requirements on shared cluster compute resources. 

Previously, all pods on a node shared the same security groups. While IAM roles for service accounts solves the pod level security challenge at the authentication layer, many organization’s compliance requirements also mandate network segmentation as an additional defense in depth step. Kubernetes network policies provide an option for controlling network traffic within the cluster, but do not support controlling access to Amazon Web Services resources such as Amazon RDS outside the cluster. 

Now, network security rules that span pod to pod and pod to external Amazon Web Services service traffic can be defined in a single place with EC2 security groups, and applied to individual pods and applications with Kubernetes native APIs. This makes it easy to achieve network security compliance in multi-tenant clusters by running application with varying network security requirements on a shared pool of compute resources.  

Support for assigning security groups to pods is available for most Amazon Web Services Nitro based instances launched with new EKS clusters running Kubernetes version 1.17 and above. Support for existing clusters will be rolled out over the coming weeks. To get started, visit the Amazon EKS documentation.