-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New annotation to add existing Security Groups to ELBs created by AWS cloudprovider #45268
New annotation to add existing Security Groups to ELBs created by AWS cloudprovider #45268
Conversation
Hi @redbaron. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/cc @justinsb |
@k8s-bot ok to test |
anyone? |
Code looks good (sorry for delay) But .. can you clarify "Example of it can be cases, where such Security Groups are maintained by another team.". I certainly understand that admin teams often impose requirements like this; I'm just a little unsure why they would want an additional SG attached to the ELB, while also letting us create our own and set ingress that way. Another way of saying this: I would have a better understanding if we were only using the annotated SG, although that would have problems with the source ranges. |
@justinsb limiting source IPs is exactly out case. Separate team maintains SGs and populates them with up to date source IP addresses, then it is imposed as a requirement to have them attached to any public facing ELBs in AWS account. Autocreated SG is then limited to receive requests only from 127.0.0.1/32 or so, so that it doesn't allow any additional IP addresses to talk to ELB. At the same time, autocreated SG acts as a glue SG to allow incoming connections from ELB to kubernetes worker nodes. |
Have you seen #45500 - that has all ELBs share a single SG. I believe the primary use case there is that there is a 500 SG limit per VPC. I'm wondering if that would work for your use case also though. |
So I like the way this works, but I suspect that #45500 actually meets your use case. I'm going to ask them to refactor to use the same code structure you used here, so that if not we can still get yours in also. |
/lgtm |
c5fb77b
to
bb4bc3e
Compare
Should I be targeting this PR to release-1.7 branch instead of master? |
Can not rebase due git clone being broken on windows right now ( #46958), will rebase once it is solved |
Readding the approved label since there is a referenced issue and justin approved prior to freeze |
bb4bc3e
to
debd33b
Compare
Service objects can be annotated with `service.beta.kubernetes.io/aws-load-balancer-extra-security-groups` to specify existing security groups to be added to ELB created by AWS cloudprovider
debd33b
to
2e5773b
Compare
@justinsb , I think it is all green now, only lgtm is missing |
/lgtm |
/retest |
/approve no-issue |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, redbaron Associated issue requirement bypassed by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@redbaron: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/remove-priority P1 |
@justinb, can you trigger retest it pls? seems unrelated to my changes |
/retest |
Automatic merge from submit-queue |
What this PR does / why we need it:
When K8S cluster is deployed in existing VPC there might be a need to attach extra SecurityGroups to ELB created by AWS cloudprovider. Example of it can be cases, where such Security Groups are maintained by another team.
Special notes for your reviewer:
For tests to pass depends on #45168 and therefore includes it
Release note: