Security Groups for Pods
Overview
Security Groups for Pods (SGP) allows you to assign security groups directly to pods, enabling fine-grained network access control.
Requirements
- VPC CNI addon version >= 1.7.0
- Nitro-based instances
- Linux nodes only
Create Security Group for Pods
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: my-app-sg-policy
spec:
podSelector:
matchLabels:
app: my-app
securityGroups:
groupIds:
- sg-1234567890abcdef0Use Case: Database Access
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: database-access
spec:
podSelector:
matchLabels:
tier: database
securityGroups:
groupIds:
- sg-db-security-group
- sg-app-security-groupBenefits
- Pod-level security group assignment
- No ENI per pod (shared ENI with warm IPs)
- Fine-grained access control
- Works with AWS services (RDS, ElastiCache)
Limitations
- Nitro instances only
- Cannot use with Windows nodes
- Limited to certain instance types