Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor securityGroup handling to reuse existing securityGroup on worker nodes #1019

Merged
merged 1 commit into from Sep 12, 2019
Merged

refactor securityGroup handling to reuse existing securityGroup on worker nodes #1019

merged 1 commit into from Sep 12, 2019

Conversation

M00nF1sh
Copy link
Collaborator

@M00nF1sh M00nF1sh commented Sep 11, 2019
edited

  1. PR to make migration to Ingress Group Feature Testing #914 happen :D
  2. solves Only 5 SGs per ENI allowed #682
  3. solves Deletion of ALB in shared subnets fails #986
  4. more cleaner code for instance SG management
  5. adding kubenet ip mode support should be pretty ez (will do it in following up PR)

The SecurityGroup management in ALB Ingress controller depends on whether external SecurityGroups
are provided via annotation alb.ingress.kubernetes.io/security-groups.

  • external SecurityGroups specified:

    1. the external specified SecurityGroups will be applied to LoadBalancer.
    2. no changes will be done to worker node SecurityGroups, customer need to grant inbound permission
      from these external SecurityGroups to worker node SecurityGroups.

  • external SecurityGroups unspecified:

    1. controller will automatically create an SecurityGroup, which will be applied to LoadBalancer.
    2. controller will modify the securityGroup on worker nodes to allow inbound traffic from the LB SecurityGroup.
      • under instance targeting mode:
        1. controller will modify the SecurityGroup on primary ENI of all worker nodes to allow traffic from LB SecurityGroup.
      • under ip targeting mode with amazon-vpc-cni-k8s:
        1. controller will modify the SecurityGroup on ENIs that supports these pod IPs.

    How SecurityGroups on ENI are identified follows process described below:
    1. if there are only single SecurityGroup on ENI, that SecurityGroup will be chosen.
    2. if there are multiple SecurityGroup on ENI, the single SecurityGroup with tag kubernetes.io/cluster/<cluster-name> will be chosen.
    3. otherwise, error will be raised.

    NOTE: older versions will try to create an standalone SecurityGroup which allows from traffic from LB SecurityGroup and attach to worker nodes ENI.
    This behavior is changed to above due to un-scalability caused by AWS limits of allow securityGroup per ENI.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Sep 11, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 11, 2019
@M00nF1sh M00nF1sh changed the title refactor securityGroup handling to reuse existing securityGroup on worker nodes [WIP]refactor securityGroup handling to reuse existing securityGroup on worker nodes Sep 11, 2019
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 11, 2019
@M00nF1sh M00nF1sh changed the title [WIP]refactor securityGroup handling to reuse existing securityGroup on worker nodes refactor securityGroup handling to reuse existing securityGroup on worker nodes Sep 12, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 12, 2019
@leakingtapan
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 12, 2019
@k8s-ci-robot k8s-ci-robot merged commit 4bba2f2 into kubernetes-sigs:master Sep 12, 2019
@mvillumsen mvillumsen mentioned this pull request Sep 16, 2019
Closed
@Alexx-G Alexx-G mentioned this pull request Feb 10, 2020
Closed
@jorjao81 jorjao81 mentioned this pull request May 25, 2020
Closed
@mbarrien mbarrien mentioned this pull request Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bigkraig bigkraig Awaiting requested review from bigkraig

@micahhausler micahhausler Awaiting requested review from micahhausler

Assignees

@leakingtapan leakingtapan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@M00nF1sh @k8s-ci-robot @leakingtapan