AWS EKS pod attach the SecurityGroup through SecurityGroupPolicy CRD

The EKS deployment should use ServiceAccount for pods

Create the CR to eks cluster

Control the access to Istio ingress gateway through bind the securitygroup to pod network interface.

 1apiVersion: vpcresources.k8s.aws/v1beta1
 2kind: SecurityGroupPolicy
 3metadata:
 4  name: istio-internal-ingressgateway-sg
 5  namespace: istio-system
 6spec:
 7  serviceAccountSelector:
 8    matchLabels:
 9      app: istio-internal-ingressgateway
10  securityGroups:
11    groupIds:
12      - sg-xxxxxxx
13      - sg-xxxxxxx
14      - sg-xxxxxxx
15      - sg-xxxxxxx
16      - sg-xxxxxxx

Reference