Custom ICMP rule generated in AWS security group
Summary
We are using the helm chart from Gitlab and we have this setting in our nginx-ingress:
nginx-ingress:
controller:
annotation:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ...
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: '300'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service:
enableHttp: false
loadBalancerSourceRanges:
- XXX.XXX.XXX.XXX/32
The setting is generating a security group with the following inbound rules:
The problem is that everytime we add an IP to the source ranges, it creates 3 more rules and we reached the limit recently. So we disabled http which gives us some space. But we can't find any setting for disabling this Custom ICMP rule. Is there a way to do it and what is it used for?
Steps to reproduce
-
helm install
with the provided configuration
Configuration used
redis:
enabled: false
registry:
enabled: false
storage:
secret: registry-storage
key: config
global:
registry:
bucket: gitlab-domain-registry
smtp:
enabled: true
address: email-server
port: 587
user_name: user-name-key
password:
secret: gitlab-smtp-password
key: password-key
starttls_auto: true
authentication: login
domain: gitlab.mydomain.com
openssl_verify_mode: none
email:
from: exampple@mail.com
display_name: Gitlab
reply_to: example@mail.com
subject_suffix: ""
railsSecrets:
secret: gitlab-rails-secret
hosts:
domain: mydomain.org
https: true
psql:
host: gitlab.xxxxxxxxxxx.ap-southeast-2.rds.amazonaws.com
password:
secret: gitlab-postgresql-password
key: postgres-password
username: root
minio:
enabled: false
appConfig:
lfs:
bucket: gitlab-lfs-storage
connection:
secret: object-storage
key: connection
artifacts:
bucket: gitlab-artifacts-storage
connection:
secret: object-storage
key: connection
uploads:
bucket: gitlab-uploads-storage
connection:
secret: object-storage
key: connection
backups:
bucket: gitlab-backup
tmpBucket: gitlab-backup
certmanager:
install: true
certmanager-issuer:
email: example@mail.com
gitlab:
migrations:
image:
repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-rails-ce
sidekiq:
registry:
enabled: false
image:
repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce
unicorn:
registry:
enabled: false
image:
repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-unicorn-ce
workhorse:
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce
task-runner:
backups:
objectStorage:
config:
secret: s3cmd-config
key: config
cron:
enabled: false
postgresql:
install: false
redis:
host: redis.xxxxxxx.cache.amazonaws.com
gitlab-runner:
install: false
nginx-ingress:
controller:
service:
annotation:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-xxxxxxxxxxxx:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: '300'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
enableHttp: false
loadBalancerSourceRanges:
- XXX.XXX.XXX.XXX/32
prometheus:
install: false
rbac:
create: true
alertmanager:
enabled: false
alertmanagerFiles:
alertmanager.yml: {}
kubeStateMetrics:
enabled: false
nodeExporter:
enabled: false
pushgateway:
enabled: false
Current behavior
Has no setting to disable the inbound rule "Custom ICMP"
Expected behavior
Have setting to disable the inbound rule "Custom ICMP" and save inbound rules
Versions
- Chart: 2.2.3(tagged version | branch | hash
git rev-parse HEAD
) - Platform:
- Cloud: Self-managed by kops on AWS Cloud
- Kubernetes: (
kubectl version
)- Client: 1.14.6
- Server: 1.12.8
- Helm: (
helm version
)- Client: 2.14.3
- Server: 2.14.3
Relevant logs
N/A