Refine LoadBalancer service access control and consolidating security-rules

[zarvd]

What type of PR is this?

/cleanup

What this PR does / why we need it:

Purpose: create as few security rules as possible. (detail in #4713)
This PR has a ton of changes because we’ve completely changed the pattern for security rules.

Some screenshots:

Without allow list

apiVersion: v1
kind: Service
metadata:
  name: foo
spec:
  type: LoadBalancer
  ipFamilyPolicy: PreferDualStack
  selector:
    app: foo
  ports:
    - name: port1
      protocol: TCP
      port: 30102
      targetPort: 30102
    - name: port2
      protocol: UDP
      port: 30102
      targetPort: 30102
    - name: port3
      protocol: TCP
      port: 30103
      targetPort: 30103

IPv4

IPv4 and IPv6

With additional public IPs

apiVersion: v1
kind: Service
metadata:
  name: foo
  annotations:
    service.beta.kubernetes.io/azure-additional-public-ips: "10.0.0.1,10.0.0.2"
spec:
  type: LoadBalancer
  ipFamilyPolicy: PreferDualStack
  selector:
    app: foo
  ports:
    - name: port1
      protocol: TCP
      port: 30102
      targetPort: 30102
    - name: port2
      protocol: UDP
      port: 30102
      targetPort: 30102
    - name: port3
      protocol: TCP
      port: 30103
      targetPort: 30103

Disable floating IP

apiVersion: v1
kind: Service
metadata:
  name: foo
  annotations:
    service.beta.kubernetes.io/azure-disable-load-balancer-floating-ip: "true"
spec:
  type: LoadBalancer
  ipFamilyPolicy: PreferDualStack
  selector:
    app: foo
  ports:
    - name: port1
      protocol: TCP
      port: 30102
      targetPort: 30102
    - name: port2
      protocol: UDP
      port: 30102
      targetPort: 30102
    - name: port3
      protocol: TCP
      port: 30103
      targetPort: 30103

NOTE: use backend pool nodes IPs as the destination addresses

With allow list

apiVersion: v1
kind: Service
metadata:
  name: foo
  annotations:
    service.beta.kubernetes.io/azure-allowed-service-tags: "AzureCloud,AzureDatabricks"
    service.beta.kubernetes.io/azure-allowed-ip-ranges: "10.10.10.10/32,10.10.10.11/32,2001:1234::/64"
spec:
  type: LoadBalancer
  ipFamilyPolicy: PreferDualStack
  selector:
    app: foo
  ports:
    - name: port1
      protocol: TCP
      port: 30102
      targetPort: 30102
    - name: port2
      protocol: UDP
      port: 30102
      targetPort: 30102
    - name: port3
      protocol: TCP
      port: 30103
      targetPort: 30103

Which issue(s) this PR fixes:

Fixes #4713
Fixes #4919

Special notes for your reviewer:

I’ve rewritten the logic that handles the configuration, but it should still behave the same way:

• service.beta.kubernetes.io/azure-allowed-ip-ranges
• service.beta.kubernetes.io/azure-allowed-service-tags
• service.beta.kubernetes.io/azure-disable-load-balancer-floating-ip
• service.beta.kubernetes.io/azure-additional-public-ips
• and spec spec.LoadBalancerSourceRanges

The annotations would be deprecated after this change:

• service.beta.kubernetes.io/azure-shared-securityrule now all the rules would be as shared.

code review guidance
This PR is pretty big, so I’ll break it down here to make it less of a headache. Sorry in advance!

• Essentially, the logic for access control and security groups is in ./pkg/provider/loadbalancer/... Being stateless, it doesn’t involve any outgoing HTTP or similar requests, nor does it use memory cache or global variables.
• The SecurityGroup put operation would still be in ./pkg/provider/azure_loadbalancer.go#reconcileSecurityGroup
• The unit tests have been rewritten, you can find them in ./pkg/provider/azure_loadbalancer_accesscontrol_test.go

The E2E tests aren’t finished yet (they still need some refactoring), but you can already start reviewing.

Does this PR introduce a user-facing change?

Refine consolidating security-rules for LoadBalancer service.
Deprecate service annotation `service.beta.kubernetes.io/azure-shared-securityrule`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Hi @lodrem. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nilo19]

/kind feature

[nilo19]

/ok-to-test

[nilo19]

The IPV6 address in the last example does not appear in the source column of the screenshot. Is it expected?

[zarvd]

The IPV6 address in the last example does not appear in the source column of the screenshot. Is it expected?

Yes because that cluster didn't enable IPv6.

If dual stack enabled, you would see something like:

[feiskyer]

any tests when ILB services are annotated with allowded CIRDs and service tags?

[zarvd]

Good catch. Added a few more tests for ILB. They should cover its code path.

[feiskyer]

Thank you for the excellent refactoring. The code is much clearer now. The changes LGTM in general, just added a few comments.

[feiskyer]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, lodrem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [feiskyer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lzhecheng]

/lgtm

[phealy]

Looks amazing - thank you for all the hard work and reviews, @lodrem , @nilo19 , @feiskyer, @lzhecheng, and anyone else I missed!