Kubernetes and AWS: Set LoadBalancer to use predefined Security Group

You cannot prevent Kubernetes from creating a new security group. But since Andonaeus' answer was submitted a new feature has been added which allows for explicitly defining inbound permissions via your service's configuration file.

See the user guide details for the specifics. The example provided there shows that by using spec.loadBalancerSourceRanges you can provide allow inbound IPs:

In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 130.211.204.1 and 130.211.204.2.

apiVersion: v1kind: Servicemetadata:  name: myappspec:  ports:    - port: 8765      targetPort: 9376  selector:    app: example  type: LoadBalancer  loadBalancerSourceRanges:  - 130.211.204.1/32  - 130.211.204.2/32

You can not restrict kubernetes from creating new security group, but you can specify existing security groups using annotations as mentioned in the documentation:

service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-53fae93f,sg-42efd82e" -> A list of additional security groups to be added to ELB

I realize this post is now a couple of years old, but it came up for me in a google search. It looks like it is now possible with k8s 1.7+ to prevent kubernetes from creating a security group. See https://github.com/kubernetes/kops/blob/release-1.9/docs/cluster_spec.md#cloudconfig for more info.