Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes unnecessary creation of default SG and trying to delete non-provisioned SG by k8s system when annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present #84265

Merged
merged 1 commit into from
Jan 14, 2020

Conversation

bhks
Copy link
Contributor

@bhks bhks commented Oct 24, 2019

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR fixes the Issue :

  • AWS Cloud Provider attempts to delete LoadBalancer security group it didn’t provision
  • AWS Cloud Provider creates default LoadBalancer security group even if annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present

Which issue(s) this PR fixes:

Fixes ##84256

Special notes for your reviewer:

My first PR in Kubernetes

Does this PR introduce a user-facing change?:


Fixed the following 
-  AWS Cloud Provider attempts to delete LoadBalancer security group it didn’t provision
-  AWS Cloud Provider creates default LoadBalancer security group even if annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


NONE

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

Welcome @bhagwat070919!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @bhagwat070919. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 24, 2019
@bhks
Copy link
Contributor Author

bhks commented Oct 24, 2019

/sig cloud-provider

@k8s-ci-robot k8s-ci-robot added sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 24, 2019
@bhks
Copy link
Contributor Author

bhks commented Oct 24, 2019

/area platform/aws

@k8s-ci-robot
Copy link
Contributor

@bhagwat070919: The label(s) area/platform/aws cannot be applied. These labels are supported: api-review, community/discussion, community/maintenance, community/question, cuj/build-train-deploy, cuj/multi-user, platform/aws, platform/azure, platform/gcp, platform/minikube, platform/other

In response to this:

/area platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bhks
Copy link
Contributor Author

bhks commented Oct 24, 2019

/assign @wongma7
/assign @micahhausler

@wongma7
Copy link
Contributor

wongma7 commented Oct 24, 2019

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 24, 2019
@bhks
Copy link
Contributor Author

bhks commented Oct 24, 2019

/area provider/aws

@k8s-ci-robot k8s-ci-robot added the area/provider/aws Issues or PRs related to aws provider label Oct 24, 2019
@bhks
Copy link
Contributor Author

bhks commented Oct 24, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@@ -4301,6 +4301,10 @@ func (c *Cloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName strin
// Delete the security group(s) for the load balancer
// Note that this is annoying: the load balancer disappears from the API immediately, but it is still
// deleting in the background. We get a DependencyViolation until the load balancer has deleted itself
if securitygroups, ok := service.Annotations[ServiceAnnotationLoadBalancerSecurityGroups]; !ok {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiny nit: can you put a newline above your new code? Just to clarify that the existing comment is not about your specific if block

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah , make sense Thanks.

I am putting this if block above the comments for the block to separate the block comment for deletion and why if block.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L3484 you will leak security groups..
  2. comment "This if code protects" is not english :D

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@M00nF1sh Can you explain here how would we leak security group ?

From my understanding we are protecting to call a delete operation on SG which has not been provisioned by k8s.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing out !!!!!!!!

Looking at the Create Code ,

We are creating a security group even if we have the annotation service.beta.kubernetes.io/aws-load-balancer-security-groups present and have no value.

I am surprised that we are validating the value but insteading of erroring out creating a default security group which dissolves the purpose https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#load-balancers

…visioned SG by k8s system when annotation [service.beta.kubernetes.io/aws-load-balancer-security-groups] is present
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2020
Copy link
Member

@micahhausler micahhausler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2020
@bhks
Copy link
Contributor Author

bhks commented Jan 13, 2020

/retest

@micahhausler
Copy link
Member

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 13, 2020
@bhks
Copy link
Contributor Author

bhks commented Jan 13, 2020

/retest

@bhks
Copy link
Contributor Author

bhks commented Jan 13, 2020

/test pull-kubernetes-integration

@bhks
Copy link
Contributor Author

bhks commented Jan 13, 2020

/test pull-kubernetes-e2e-gce

1 similar comment
@bhks
Copy link
Contributor Author

bhks commented Jan 14, 2020

/test pull-kubernetes-e2e-gce

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@bhks
Copy link
Contributor Author

bhks commented Jan 14, 2020

/test pull-kubernetes-e2e-gce

@jsafrane
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bhagwat070919, jsafrane, micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit c9003a2 into kubernetes:master Jan 14, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jan 14, 2020
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Jan 15, 2020
k8s-ci-robot added a commit that referenced this pull request Jan 31, 2020
…-#84265-upstream-release-1.15

Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
k8s-ci-robot added a commit that referenced this pull request Jan 31, 2020
…-#84265-upstream-release-1.17

Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
k8s-ci-robot added a commit that referenced this pull request Jan 31, 2020
…-#84265-upstream-release-1.16

Automated cherry pick of #84265: Fixes unnecessary creation of default SG and trying to delete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants