Skip to content

Preventing LoadBalancer service traffic from flowing through control plane and etcd nodes in a Kubernetes cluster with the AWS Cloud Provider

Article Number: 000020034

Environment

  • A Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes cluster, provisioned on EC2 instances
  • Separate worker nodes from control plane and etcd nodes
  • The AWS Cloud Provider configured

Situation

This article details how to prevent LoadBalancer type service traffic from flowing through control plane and etcd nodes, in a cluster configured with the AWS Cloud Provider.

Resolution

Nodes of a Kubernetes cluster created by Rancher/RKE, that use AWS as the cloud provider, automatically get added to service load balancers (ELB). The behavior results in both controlplane and etcd nodes routing end-user application traffic, breaking the role separations model. To prevent this, label the control plane and etcd nodes with the label node-role.kubernetes.io/master and the cloud-controller will not automatically add them to the service load balancers.