Support Security Group Name #410
Conversation
* sg name field in crd * add implementation * Move to getsgforVPC, move SG names into SG, unique items validation --------- Co-authored-by: Garvin Pang <garvinp@stripe.com>
|
Hi @GnatorX, are you planning to add TTL cache changes in the same PR? |
|
I have added TTL cache. Sorry for the delay. |
| @@ -31,7 +31,13 @@ type GroupIds struct { | |||
| // Groups is the list of EC2 Security Groups Ids that need to be applied to the ENI of a Pod. | |||
There was a problem hiding this comment.
Can we rename this struct to be more general like SecurityGroups? So we can have something like below:
type SecurityGroupPolicySpec struct {
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
ServiceAccountSelector *metav1.LabelSelector `json:"serviceAccountSelector,omitempty"`
SecurityGroups SecurityGroups `json:"securityGroups,omitempty"`
}
// SecurityGroups contains the list of security groups that will be applied to the network interface of the pod matching the criteria.
type SecurityGroups struct {
// GroupIds is the list of EC2 Security Groups Ids that need to be applied to the ENI of a Pod.
GroupIds []string `json:"groupIds,omitempty"`
// GroupNames is the list of EC2 Security Groups Names that need to be applied to the ENI of a Pod.
GroupNames []string `json:"groupNames,omitempty"`
}
This can be extended to add more identifiers for SGs in the future if required.
| return securityGroup.securityGroupName, nil | ||
| } | ||
|
|
||
| securityGroupNameToIdCache := cache.NewTTLStore(securityGroupCacheKeyFunc, 15*time.Minute) |
There was a problem hiding this comment.
Note: The TTL duration could be made configurable by the user based on their use-case.
I'll discuss this internally with the team.
|
|
||
| func (e *ec2Wrapper) GetSecurityGroupsForVpc(input *ec2.GetSecurityGroupsForVpcInput) (*ec2.GetSecurityGroupsForVpcOutput, error) { | ||
| accountIdFilter := ec2.Filter{ | ||
| Name: aws.String("owner-id"), |
There was a problem hiding this comment.
This can be removed since we already have the VpcId filter.
| sgList := s.filterPodSecurityGroups(sgpList, pod, sa) | ||
| sgList, err := s.filterPodSecurityGroups(sgpList, pod, sa) | ||
| if err != nil { | ||
| helperLog.Error(err, "Failed in associating pod to security groups") |
There was a problem hiding this comment.
nit: error can be more accurate like "failed to get security groups to be associated with pod", "pod", pod.Name, since we are not yet creating the branch ENI here.
| ) | ||
|
|
||
| // TODO: Use the mocks and actually correctly mock this |
There was a problem hiding this comment.
Should this be updated? As I see there is a mock EC2 API helper.
sg name field in crd
add implementation
Move to getsgforVPC, move SG names into SG, unique items validation
Add TTL cache (15 minutes) to Security group name to ID calls to reduce calls to GetSecurityGroupForVPC
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.