Add VpcAssociationPolicy doc #411
Conversation
|
Haven't had a chance to review the doc yet, but please make sure any new doc change is included in |
zijun726911
force-pushed
the
vpc_association_policy_doc
branch
from
5f8bfef to
aae22e7
Compare
zijun726911
force-pushed
the
vpc_association_policy_doc
branch
from
aae22e7 to
418f164
Compare
|
|
||
| | Source | Protocol | Port Range | Comment | | ||
| |-----------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| | ||
| | Kubernetes cluster VPC CIDR | protocols defined in the gateway's listener section | ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | |
There was a problem hiding this comment.
Can we add - "or security group reference" - Incase they don't want to use CIDR/IP addresses.
Pull Request Test Coverage Report for Build 6358392373
💛 - Coveralls |
|
|
||
| When attaching a policy to a resource, the following restrictions apply: | ||
|
|
||
| * A policy can be only attached to `Gateway` resources. |
There was a problem hiding this comment.
It's typically advised to not use the word "only" when describing limitations.
Alternative wording would be "Policies must be attached to Gateway resources."
| When attaching a policy to a resource, the following restrictions apply: | ||
|
|
||
| * A policy can be only attached to `Gateway` resources. | ||
| * The attached resource should exist in the same namespace as the policy resource. |
There was a problem hiding this comment.
The attached resource must exist in the same namespace as the policy resource ("should" sounds suggestive, rather than mandatory).
| The security Group will not take effect if: | ||
|
|
||
| * The targetRef `Gateway` does not exist | ||
| * AssociateWithVpc field set to false |
There was a problem hiding this comment.
What AssociateWithVpc field?
Also, grammar nitpick: "associateWithVpc is set to false"
|
|
||
| **WARNING** | ||
|
|
||
| Current VPC Lattice updateServiceNetworkVpcAssociation api have a limitation that it cannot remove all security groups. |
There was a problem hiding this comment.
"The VPC Lattice UpdateServiceNetworkVpcAssociation API cannot be used to remove all security groups."
| Current VPC Lattice updateServiceNetworkVpcAssociation api have a limitation that it cannot remove all security groups. | ||
| That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, following operations will NOT take effect to remove the security groups: | ||
| * Update the VPCAssociationPolicy to empty the security group ids (even though the updated VPCAssociationPolicy can be accepted by the API server) | ||
| * Delete the VPCAssociationPolicy (even though the VPCAssociationPolicy can be deleted from k8s successfully) |
There was a problem hiding this comment.
Just to clarify, if the customer tries these steps, it will NOT work? If so, we should not list them as part of the documentation at all, and instead just give guidance on what they should do.
| * Delete the VPCAssociationPolicy (even though the VPCAssociationPolicy can be deleted from k8s successfully) | ||
|
|
||
| To remove security groups, instead, you should delete VPC Association and then create a new VPC Association without security group ids by following steps: | ||
| 1. Update the VPCAssociationPolicy with AssociateWithVpc is false and empty security group ids |
There was a problem hiding this comment.
"Update the VPCAssociationPolicy by setting associateWithVpc to false and with empty security group ids"
| 1. Update the VPCAssociationPolicy with AssociateWithVpc is false and empty security group ids | ||
| 2. Update the VPCAssociationPolicy with AssociateWithVpc is true and empty security group ids | ||
|
|
||
| Be cautious to set AssociateWithVpc to false. That can break traffic from the current cluster workloads to the gateway. |
There was a problem hiding this comment.
Perhaps this should be a note that simply says "Note: Setting associateWithVpc to false will disable traffic from the current cluster workloads to the gateway."
| Be cautious to set AssociateWithVpc to false. That can break traffic from the current cluster workloads to the gateway. | ||
|
|
||
|
|
||
| | Field | Description | |
|
|
||
|
|
||
|
|
||
| | Field | Description | |
There was a problem hiding this comment.
Possibly a Required column would help with clarifying whether a field is optional, and a Type column would make it easier to see what type of property it is, instead of lumping it in with the property name
xWink
left a comment
xWink
left a comment
There was a problem hiding this comment.
Great start, just needs some grammar and format cleanup.
|
|
||
| ### Fields of VpcAssociationPolicy | ||
|
|
||
| | Field Name | Required | Description | |
There was a problem hiding this comment.
Would be good to have a Type column for easier reading
|
|
||
| | Field Name | Type | Required | Description | | ||
| |--------------------|-----------------------------------------------------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | |
There was a problem hiding this comment.
"This field is following the guidelines of Kubernetes Gateway API policy attachment." can be shortened to "Follows the guidelines of Kubernetes Gateway API policy attachment", but do we need this sentence if we already link to it in the hyperlink on PolicyTargetReference, or is this a different guideline? If it is a different guideline, we should hyperlink to it
| |--------------------|-----------------------------------------------------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | | ||
| | `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | | ||
| | `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail of this field. | |
| * Policies must be attached to *Gateway* resource. | ||
| * The attached resource must exist in the same namespace as the policy resource. | ||
|
|
||
| The security Group will not take effect if: |
There was a problem hiding this comment.
security group (lowercase S, keep capitalization consistent)
| The security Group will not take effect if: | ||
|
|
||
| * The targetRef `Gateway` does not exist | ||
| * AssociateWithVpc field set to false |
There was a problem hiding this comment.
The associateWithVpc field is set to false
| **WARNING** | ||
|
|
||
| The VPC Lattice `UpdateServiceNetworkVpcAssociation` API cannot be used to remove all security groups. | ||
| That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, update the VPCAssociationPolicy with empty security group ids or delete the whole VPCAssociationPolicy will NOT remove the security groups from this gateway. |
There was a problem hiding this comment.
VpcAssociationPolicy should be capitalized consistently (there are a bunch of places here and below where it's written as VPCAssociationPolicy)
| **WARNING** | ||
|
|
||
| The VPC Lattice `UpdateServiceNetworkVpcAssociation` API cannot be used to remove all security groups. | ||
| That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, update the VPCAssociationPolicy with empty security group ids or delete the whole VPCAssociationPolicy will NOT remove the security groups from this gateway. |
There was a problem hiding this comment.
"That means" is redundant. Can replace sentence with "If you have a VpcAssociationPolicy attached to a gateway that already has security groups applied, updating the VpcAssociationPolicy with empty security group ids or deleting the VpcAssociationPolicy will NOT remove the security groups from the gateway."
| 1. Update the VPCAssociationPolicy by setting associateWithVpc to false and empty security group ids | ||
| 2. Update the VPCAssociationPolicy by setting associateWithVpc to true and empty security group ids | ||
|
|
||
| Be cautious to set AssociateWithVpc to false. It will disable traffic from the current cluster workloads to the gateway. |
There was a problem hiding this comment.
"Note: Setting associateWithVpc to false will disable traffic from the current cluster workloads to the gateway"
|
|
||
| ## Example Configuration | ||
|
|
||
| This example shows how to configure a Gateway with associateWithVpc set to true and apply security group sg-1234567890 and sg-0987654321 |
There was a problem hiding this comment.
Let's stay consistent with capitalization of words like "gateway". I see it always lowercase above.
Also, let's wrap fields as inline code (i.e. associateWithVpc).
xWink
left a comment
xWink
left a comment
There was a problem hiding this comment.
Few more changes and it'll be spotless :)
zijun726911
force-pushed
the
vpc_association_policy_doc
branch
from
84fddff to
5dee6a3
Compare
zijun726911
force-pushed
the
vpc_association_policy_doc
branch
from
5dee6a3 to
0fe3258
Compare
|
@xWink Thanks for your detailed comments! I think I should have addressed all of them, please review again when you have a time, thank you! |
|
|
||
| ### Fields of VpcAssociationPolicy | ||
|
|
||
| | Field Name | Type | | Required | Description | |
There was a problem hiding this comment.
Seems to be an extra | character here, breaking the table
|
|
||
| The security group will not take effect if: | ||
|
|
||
| * The targetRef `gateway` does not exist. |
There was a problem hiding this comment.
targetRef is the field that should be inline code, not gateway
|
|
||
| | Field Name | Type | Required | Description | | ||
| |--------------------|-----------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. It follows the guidelines of Kubernetes Gateway API policy attachment | |
There was a problem hiding this comment.
This sentence could flow better like so:
Points to the Kubernetes Gateway resource that will have this policy attached, following the guidelines of [Kubernetes Gateway API policy attachment](link-to-guidelines).
xWink
left a comment
xWink
left a comment
There was a problem hiding this comment.
One more fix and a couple of nitpicks!
5 participants
What type of PR is this?
Which issue does this PR fix:
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs from aws-gateway-controller showing the issue:
Testing done on this change:
Automation added to e2e:
Will this PR introduce any new dependencies?:
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.