-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Security Group Name #410
base: sg-name
Are you sure you want to change the base?
Conversation
* sg name field in crd * add implementation * Move to getsgforVPC, move SG names into SG, unique items validation --------- Co-authored-by: Garvin Pang <garvinp@stripe.com>
Hi @GnatorX, are you planning to add TTL cache changes in the same PR? |
I have added TTL cache. Sorry for the delay. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR!
I had a few minor comments, but overall looks good. After merge, I can continue testing on this.
@@ -31,7 +31,13 @@ type GroupIds struct { | |||
// Groups is the list of EC2 Security Groups Ids that need to be applied to the ENI of a Pod. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename this struct to be more general like SecurityGroups
? So we can have something like below:
type SecurityGroupPolicySpec struct {
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
ServiceAccountSelector *metav1.LabelSelector `json:"serviceAccountSelector,omitempty"`
SecurityGroups SecurityGroups `json:"securityGroups,omitempty"`
}
// SecurityGroups contains the list of security groups that will be applied to the network interface of the pod matching the criteria.
type SecurityGroups struct {
// GroupIds is the list of EC2 Security Groups Ids that need to be applied to the ENI of a Pod.
GroupIds []string `json:"groupIds,omitempty"`
// GroupNames is the list of EC2 Security Groups Names that need to be applied to the ENI of a Pod.
GroupNames []string `json:"groupNames,omitempty"`
}
This can be extended to add more identifiers for SGs in the future if required.
return securityGroup.securityGroupName, nil | ||
} | ||
|
||
securityGroupNameToIdCache := cache.NewTTLStore(securityGroupCacheKeyFunc, 15*time.Minute) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: The TTL duration could be made configurable by the user based on their use-case.
I'll discuss this internally with the team.
|
||
func (e *ec2Wrapper) GetSecurityGroupsForVpc(input *ec2.GetSecurityGroupsForVpcInput) (*ec2.GetSecurityGroupsForVpcOutput, error) { | ||
accountIdFilter := ec2.Filter{ | ||
Name: aws.String("owner-id"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be removed since we already have the VpcId
filter.
sgList := s.filterPodSecurityGroups(sgpList, pod, sa) | ||
sgList, err := s.filterPodSecurityGroups(sgpList, pod, sa) | ||
if err != nil { | ||
helperLog.Error(err, "Failed in associating pod to security groups") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: error can be more accurate like "failed to get security groups to be associated with pod", "pod", pod.Name
, since we are not yet creating the branch ENI here.
) | ||
|
||
// TODO: Use the mocks and actually correctly mock this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be updated? As I see there is a mock EC2 API helper.
sg name field in crd
add implementation
Move to getsgforVPC, move SG names into SG, unique items validation
Add TTL cache (15 minutes) to Security group name to ID calls to reduce calls to GetSecurityGroupForVPC
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.