-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow using existing/shared Security Groups #5744
Conversation
f3914d8
to
8a404d8
Compare
What a huge thing... from going through it two times I'd say looks good, but second and third opinion YES PLEASE! /lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the PR works and lgtm technically, but I'd like to get some more ideas about how we structure this in the cluster spec.
just in case my excitement about getting this feature done wasn't apparent, I want this feature so bad and have been waiting for a long time. Let's get the details worked out and get it into 1.11 alpha
pkg/apis/kops/cluster.go
Outdated
// IdleTimeoutSeconds sets the timeout of the api loadbalancer. | ||
IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"` | ||
// SecurityGroup is the id of the security group to be use by the load balancer. | ||
SecurityGroup *string `json:"securityGroup,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to think about the representation of this data a bit- I think we need to figure out how to have one field in these structs for SG. I wish we hadn't called the field AdditionalSecurityGroups
to start with, but this is the hand we are dealt.
My suggestion is to have one field to manage all of the SG parameters that we'll end up needing. Below are just some thoughts that can definitely use some iteration/smart ideas. Please jump in and help us sort this out. any ideas @justinsb?
Would a data structure like this get us anything?
type SecurityGroupSpec struct {
AdoptDefaultSG bool`json:"adoptDefaultSG,true"`
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
}
// LoadBalancerAccessSpec provides configuration details related to API LoadBalancer and its access
type LoadBalancerAccessSpec struct {
// Type of load balancer to create may Public or Internal.
Type LoadBalancerType `json:"type,omitempty"`
// IdleTimeoutSeconds sets the timeout of the api loadbalancer.
IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
SecurityGroupSpec SecurityGroupSpec
// Deprecation in lieu of SecurirtGroupSPec to come. for now let's just copy the slice
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
// UseForInternalApi indicates wether the LB should be used by the kubelet
UseForInternalApi bool `json:"useForInternalApi,omitempty"`
// SSLCertificate allows you to specify the ACM cert to be used the the LB
SSLCertificate string `json:"sslCertificate,omitempty"`
}
Does that make life better, worse, or equivalent to a PR that's already done and works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@geojaz as per the last Office Hour we decided to keep this as SecurityGroup
correct?
I think we decided to do either AdditonalSGs and SGOverride or
AdditionalSGs and SecurityGroups. I prefer having the verbosity in the key.
Justin was happy to do it either way as I remember, so pick what makes the
most sense to you and let's run with it!
…On Thu, Sep 27, 2018 at 10:27 AM Rodrigo Menezes ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkg/apis/kops/cluster.go
<#5744 (comment)>:
> @@ -311,11 +311,18 @@ const (
// LoadBalancerAccessSpec provides configuration details related to API LoadBalancer and its access
type LoadBalancerAccessSpec struct {
- Type LoadBalancerType `json:"type,omitempty"`
- IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
- AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
- UseForInternalApi bool `json:"useForInternalApi,omitempty"`
- SSLCertificate string `json:"sslCertificate,omitempty"`
+ // Type of load balancer to create may Public or Internal.
+ Type LoadBalancerType `json:"type,omitempty"`
+ // IdleTimeoutSeconds sets the timeout of the api loadbalancer.
+ IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
+ // SecurityGroup is the id of the security group to be use by the load balancer.
+ SecurityGroup *string `json:"securityGroup,omitempty"`
@geojaz <https://github.com/geojaz> as per the last Office Hour we
decided to keep this as SecurityGroup correct?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5744 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AJA3QHp0jPAXA_q1LXC_dhhXbh50n2Jmks5ufQqEgaJpZM4WYBcX>
.
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
3e6a9a5
to
c071fb9
Compare
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Verbosely log when a user overwrites LB or IG security groups Change SecurityGroup to SecurityGroupOverride Allow using existing/shared Security Groups Update tests
ece6266
to
a82f548
Compare
@geojaz SecurityGroupOverride it is! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One blocker I think - the cilium removal, but otherwise looks good to me - I'm going to do a pass with some of my "I wonder if this would be cleaner" thoughts, but we can do those in follow-on PRs if they work.
Lifecycle: b.Lifecycle, | ||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode), | ||
SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), | ||
if len(groups) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is right - what if there was one node IG using the standard SG and another node IG using an override?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tackled in #5862
name := "masters." + b.ClusterName() | ||
baseGroup = &awstasks.SecurityGroup{ | ||
Name: s(name), | ||
Lifecycle: lifecycle, | ||
VPC: b.LinkToVPC(), | ||
Description: s("Security group for masters"), | ||
RemoveExtraRules: []string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to self: It's odd that RemoveExtraRules
are here but not in the override...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I convinced myself in #5862 that it doesn't make a ton of sense for a shared (unmanaged) security group...
# Security Groups | ||
|
||
## Use existing AWS Security Groups | ||
**Note: Use this at your own risk, when existing SGs are used Kops will NOT ensure they are properly configured.** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do hope we can relax this (ExistsAndWarnIfChanges should warn!), but we'll see :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, this already happens. The issue is that this displays a compressed object on the terminal and unless you are looking for it, it can be easy to miss. Hence the note here, however I'm fine with removing the note as well.
sgLink = &awstasks.SecurityGroup{ | ||
Name: lbSpec.SecurityGroupOverride, | ||
ID: lbSpec.SecurityGroupOverride, | ||
Shared: fi.Bool(true), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have thought it should suffice to build it using LinkToELBSecurityGroup, but just create it with a specified ID
and Shared=true
. I'll take a look though...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tackled in #5863
lbSG.Tags = b.CloudTags(*lbSG.Name, false) | ||
|
||
if lbSpec.SecurityGroupOverride != nil { | ||
lbSG.Name = fi.String(*lbSpec.SecurityGroupOverride) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah maybe this is it, because the name is significant after all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tackled in #5863
@@ -208,19 +229,28 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { | |||
} | |||
} | |||
|
|||
masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if we should make GetSecurityGroups return a richer data structure, like
type SecurityGroupMapping struct {
ID string
Suffix string
Groups []*InstanceGroup
}
func GetSecurityGroups() ([]SecurityGroupMapping, error) ...
Again ... thoughts for future refactoring though :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tackled in #5862
FromPort: i64(443), | ||
ToPort: i64(443), | ||
CIDR: s(apiAccess), | ||
for masterGroupName, masterGroup := range masterGroups { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to self for future refactoring - I'm wondering if we could have a helper function that did a security-group for each group, instead of doing a loop every time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was not really any clearer, because we have to map the group into SecurityGroup or Source. It might be a little simpler, but not a huge win
t := &awstasks.SecurityGroupRule{ | ||
Name: s(fmt.Sprintf("all-nodes-to-master%s", suffix)), | ||
Lifecycle: b.Lifecycle, | ||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to expand out the groups here. We can do that as a follow-on, I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tackled in #5862
Looking good! I have a follow-on for some of the edge-cases here (mixing security groups in a role, mixing override and default in a role) but I'll send a separate PR for those! /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrisz100, justinsb, rdrgmnzs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @justinsb , @chrislovecnm and @rdrgmnzs for the feature - what is the milestone release version for this feature ? |
This PR implements the ability to use an existing Security Groups for Instance Groups and Load Balancer on AWS.
This PR pulls in most of the work in #3562 #3595 #3625 while fixing a few issues. Credit for those goes to @justinsb and @chrislovecnm.
/assign @justinsb @geojaz @mikesplain