Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New annotation to add existing Security Groups to ELBs created by AWS cloudprovider #45268

Merged
merged 1 commit into from
Jun 21, 2017

Conversation

redbaron
Copy link
Contributor

@redbaron redbaron commented May 3, 2017

What this PR does / why we need it:
When K8S cluster is deployed in existing VPC there might be a need to attach extra SecurityGroups to ELB created by AWS cloudprovider. Example of it can be cases, where such Security Groups are maintained by another team.

Special notes for your reviewer:
For tests to pass depends on #45168 and therefore includes it

Release note:

New 'service.beta.kubernetes.io/aws-load-balancer-extra-security-groups' Service annotation to specify extra Security Groups to be added to ELB created by AWS cloudprovider

@k8s-reviewable
Copy link

This change is Reviewable

@k8s-ci-robot
Copy link
Contributor

Hi @redbaron. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 3, 2017
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels May 3, 2017
@redbaron
Copy link
Contributor Author

redbaron commented May 3, 2017

/cc @justinsb

@k8s-ci-robot k8s-ci-robot requested a review from justinsb May 3, 2017 05:49
@jsafrane
Copy link
Member

jsafrane commented May 9, 2017

@k8s-bot ok to test

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 9, 2017
@jsafrane
Copy link
Member

jsafrane commented May 9, 2017

I have zero knowledge about AWS load balancers.

/assign @justinsb
/unassign @jsafrane

@k8s-ci-robot k8s-ci-robot assigned justinsb and unassigned jsafrane May 9, 2017
@redbaron
Copy link
Contributor Author

anyone?

@justinsb
Copy link
Member

Code looks good (sorry for delay)

But .. can you clarify "Example of it can be cases, where such Security Groups are maintained by another team.". I certainly understand that admin teams often impose requirements like this; I'm just a little unsure why they would want an additional SG attached to the ELB, while also letting us create our own and set ingress that way.

Another way of saying this: I would have a better understanding if we were only using the annotated SG, although that would have problems with the source ranges.

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 30, 2017
@redbaron
Copy link
Contributor Author

@justinsb limiting source IPs is exactly out case. Separate team maintains SGs and populates them with up to date source IP addresses, then it is imposed as a requirement to have them attached to any public facing ELBs in AWS account. Autocreated SG is then limited to receive requests only from 127.0.0.1/32 or so, so that it doesn't allow any additional IP addresses to talk to ELB. At the same time, autocreated SG acts as a glue SG to allow incoming connections from ELB to kubernetes worker nodes.

@justinsb
Copy link
Member

justinsb commented Jun 1, 2017

Have you seen #45500 - that has all ELBs share a single SG. I believe the primary use case there is that there is a 500 SG limit per VPC. I'm wondering if that would work for your use case also though.

@justinsb
Copy link
Member

justinsb commented Jun 1, 2017

So I like the way this works, but I suspect that #45500 actually meets your use case. I'm going to ask them to refactor to use the same code structure you used here, so that if not we can still get yours in also.

@justinsb
Copy link
Member

justinsb commented Jun 1, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 1, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 1, 2017
@redbaron
Copy link
Contributor Author

redbaron commented Jun 1, 2017

@justinsb, #45500 and this are complimentary and work very well together. #45500 defines how auto-assigned SG looks like, this PR adds extra SGs to created ELBs

@calebamiles calebamiles modified the milestone: v1.7 Jun 2, 2017
@redbaron redbaron force-pushed the aws-elb-attach-sgs branch from c5fb77b to bb4bc3e Compare June 2, 2017 07:29
@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 2, 2017
@redbaron
Copy link
Contributor Author

redbaron commented Jun 2, 2017

Should I be targeting this PR to release-1.7 branch instead of master?

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2017
@redbaron
Copy link
Contributor Author

redbaron commented Jun 5, 2017

Can not rebase due git clone being broken on windows right now ( #46958), will rebase once it is solved

@k8s-github-robot k8s-github-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 5, 2017
@grodrigues3
Copy link
Contributor

Readding the approved label since there is a referenced issue and justin approved prior to freeze

@grodrigues3 grodrigues3 added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 6, 2017
@marun marun added the sig/aws label Jun 8, 2017
@redbaron redbaron force-pushed the aws-elb-attach-sgs branch from bb4bc3e to debd33b Compare June 9, 2017 10:59
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 9, 2017
Service objects can be annotated with
`service.beta.kubernetes.io/aws-load-balancer-extra-security-groups`

to specify existing security groups to be added to ELB
created by AWS cloudprovider
@redbaron redbaron force-pushed the aws-elb-attach-sgs branch from debd33b to 2e5773b Compare June 9, 2017 11:10
@redbaron
Copy link
Contributor Author

@justinsb , I think it is all green now, only lgtm is missing

@justinsb
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 16, 2017
@justinsb
Copy link
Member

/retest

@justinsb
Copy link
Member

/approve no-issue

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb, redbaron

Associated issue requirement bypassed by: justinsb

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 16, 2017

@redbaron: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
Jenkins GCE etcd3 e2e c5fb77b link @k8s-bot gce etcd3 e2e test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@spiffxp
Copy link
Member

spiffxp commented Jun 16, 2017

/remove-priority P1
/priority important-soon
(I'm not actually sure this is the right priority, just trying to remove the old priority/PN labels)

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed priority/P1 labels Jun 16, 2017
@redbaron
Copy link
Contributor Author

@justinb, can you trigger retest it pls? seems unrelated to my changes

@marun
Copy link
Contributor

marun commented Jun 20, 2017

/retest

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 1499b6b into kubernetes:master Jun 21, 2017
@redbaron redbaron deleted the aws-elb-attach-sgs branch June 21, 2017 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.