AWS EKS pod attach the SecurityGroup through SecurityGroupPolicy CRD
The EKS deployment should use ServiceAccount for pods
Create the CR to eks cluster
Control the access to Istio ingress gateway through bind the securitygroup to pod network interface.
1apiVersion: vpcresources.k8s.aws/v1beta1
2kind: SecurityGroupPolicy
3metadata:
4 name: istio-internal-ingressgateway-sg
5 namespace: istio-system
6spec:
7 serviceAccountSelector:
8 matchLabels:
9 app: istio-internal-ingressgateway
10 securityGroups:
11 groupIds:
12 - sg-xxxxxxx
13 - sg-xxxxxxx
14 - sg-xxxxxxx
15 - sg-xxxxxxx
16 - sg-xxxxxxx