-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes unnecessary creation of default SG and trying to delete non-provisioned SG by k8s system when annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present #84265
Conversation
Welcome @bhagwat070919! |
Hi @bhagwat070919. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig cloud-provider |
/area platform/aws |
@bhagwat070919: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @wongma7 |
/ok-to-test |
a75fbfb
to
12c3ce6
Compare
/area provider/aws |
/test pull-kubernetes-kubemark-e2e-gce-big |
12c3ce6
to
03bbd74
Compare
@@ -4301,6 +4301,10 @@ func (c *Cloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName strin | |||
// Delete the security group(s) for the load balancer | |||
// Note that this is annoying: the load balancer disappears from the API immediately, but it is still | |||
// deleting in the background. We get a DependencyViolation until the load balancer has deleted itself | |||
if securitygroups, ok := service.Annotations[ServiceAnnotationLoadBalancerSecurityGroups]; !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiny nit: can you put a newline above your new code? Just to clarify that the existing comment is not about your specific if block
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah , make sense Thanks.
I am putting this if block above the comments for the block to separate the block comment for deletion and why if block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L3484 you will leak security groups..
- comment "This if code protects" is not english :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@M00nF1sh Can you explain here how would we leak security group ?
From my understanding we are protecting to call a delete operation on SG which has not been provisioned by k8s.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing out !!!!!!!!
Looking at the Create Code ,
We are creating a security group even if we have the annotation service.beta.kubernetes.io/aws-load-balancer-security-groups
present and have no value.
I am surprised that we are validating the value but insteading of erroring out creating a default security group which dissolves the purpose https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#load-balancers
03bbd74
to
f1e336d
Compare
…visioned SG by k8s system when annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present
bd2bd7c
to
1ee8632
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/retest |
/unhold |
/retest |
/test pull-kubernetes-integration |
/test pull-kubernetes-e2e-gce |
1 similar comment
/test pull-kubernetes-e2e-gce |
/retest Review the full test history for this PR. Silence the bot with an |
/test pull-kubernetes-e2e-gce |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bhagwat070919, jsafrane, micahhausler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
…-#84265-upstream-release-1.15 Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
…-#84265-upstream-release-1.17 Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
…-#84265-upstream-release-1.16 Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR fixes the Issue :
AWS Cloud Provider attempts to delete LoadBalancer security group it didn’t provision
AWS Cloud Provider creates default LoadBalancer security group even if annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present
Which issue(s) this PR fixes:
Fixes ##84256
Special notes for your reviewer:
My first PR in Kubernetes
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: