Allow using existing/shared Security Groups

[rdrgmnzs]

This PR implements the ability to use an existing Security Groups for Instance Groups and Load Balancer on AWS.

This PR pulls in most of the work in #3562 #3595 #3625 while fixing a few issues. Credit for those goes to @justinsb and @chrislovecnm.

/assign @justinsb @geojaz @mikesplain

[chrisz100]

What a huge thing... from going through it two times I'd say looks good, but second and third opinion YES PLEASE!
Thanks @rdrgmnzs !

/lgtm

[geojaz]

the PR works and lgtm technically, but I'd like to get some more ideas about how we structure this in the cluster spec.

just in case my excitement about getting this feature done wasn't apparent, I want this feature so bad and have been waiting for a long time. Let's get the details worked out and get it into 1.11 alpha

[geojaz]

I need to think about the representation of this data a bit- I think we need to figure out how to have one field in these structs for SG. I wish we hadn't called the field AdditionalSecurityGroups to start with, but this is the hand we are dealt.

My suggestion is to have one field to manage all of the SG parameters that we'll end up needing. Below are just some thoughts that can definitely use some iteration/smart ideas. Please jump in and help us sort this out. any ideas @justinsb?

Would a data structure like this get us anything?

type SecurityGroupSpec struct {
	AdoptDefaultSG bool`json:"adoptDefaultSG,true"`
	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
}

// LoadBalancerAccessSpec provides configuration details related to API LoadBalancer and its access
type LoadBalancerAccessSpec struct {
	// Type of load balancer to create may Public or Internal.
	Type LoadBalancerType `json:"type,omitempty"`
	// IdleTimeoutSeconds sets the timeout of the api loadbalancer.
	IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
	SecurityGroupSpec SecurityGroupSpec 
        // Deprecation in lieu of SecurirtGroupSPec to come. for now let's just copy the slice
        AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
	// UseForInternalApi indicates wether the LB should be used by the kubelet
	UseForInternalApi bool `json:"useForInternalApi,omitempty"`
	// SSLCertificate allows you to specify the ACM cert to be used the the LB
	SSLCertificate string `json:"sslCertificate,omitempty"`
}

Does that make life better, worse, or equivalent to a PR that's already done and works?

[rdrgmnzs]

@geojaz as per the last Office Hour we decided to keep this as SecurityGroup correct?

[geojaz]

I think we decided to do either AdditonalSGs and SGOverride or AdditionalSGs and SecurityGroups. I prefer having the verbosity in the key. Justin was happy to do it either way as I remember, so pick what makes the most sense to you and let's run with it!

…

On Thu, Sep 27, 2018 at 10:27 AM Rodrigo Menezes ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In pkg/apis/kops/cluster.go <#5744 (comment)>: > @@ -311,11 +311,18 @@ const ( // LoadBalancerAccessSpec provides configuration details related to API LoadBalancer and its access type LoadBalancerAccessSpec struct { - Type LoadBalancerType `json:"type,omitempty"` - IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"` - AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"` - UseForInternalApi bool `json:"useForInternalApi,omitempty"` - SSLCertificate string `json:"sslCertificate,omitempty"` + // Type of load balancer to create may Public or Internal. + Type LoadBalancerType `json:"type,omitempty"` + // IdleTimeoutSeconds sets the timeout of the api loadbalancer. + IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"` + // SecurityGroup is the id of the security group to be use by the load balancer. + SecurityGroup *string `json:"securityGroup,omitempty"` @geojaz <https://github.com/geojaz> as per the last Office Hour we decided to keep this as SecurityGroup correct? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5744 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJA3QHp0jPAXA_q1LXC_dhhXbh50n2Jmks5ufQqEgaJpZM4WYBcX> .

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[rdrgmnzs]

@geojaz SecurityGroupOverride it is!

[justinsb]

One blocker I think - the cilium removal, but otherwise looks good to me - I'm going to do a pass with some of my "I wonder if this would be cleaner" thoughts, but we can do those in follow-on PRs if they work.

[justinsb]

I'm not sure this is right - what if there was one node IG using the standard SG and another node IG using an override?

[justinsb]

Tackled in #5862

[justinsb]

Note to self: It's odd that RemoveExtraRules are here but not in the override...

[justinsb]

I think I convinced myself in #5862 that it doesn't make a ton of sense for a shared (unmanaged) security group...

[justinsb]

I do hope we can relax this (ExistsAndWarnIfChanges should warn!), but we'll see :-)

[rdrgmnzs]

Yep, this already happens. The issue is that this displays a compressed object on the terminal and unless you are looking for it, it can be easy to miss. Hence the note here, however I'm fine with removing the note as well.

[justinsb]

I would have thought it should suffice to build it using LinkToELBSecurityGroup, but just create it with a specified ID and Shared=true. I'll take a look though...

[justinsb]

Tackled in #5863

[justinsb]

Ah maybe this is it, because the name is significant after all

[justinsb]

Tackled in #5863

[justinsb]

I'm wondering if we should make GetSecurityGroups return a richer data structure, like

type SecurityGroupMapping struct {
ID string
Suffix string
Groups []*InstanceGroup
}

func GetSecurityGroups() ([]SecurityGroupMapping, error) ...

Again ... thoughts for future refactoring though :-)

[justinsb]

Tackled in #5862

[justinsb]

Note to self for future refactoring - I'm wondering if we could have a helper function that did a security-group for each group, instead of doing a loop every time

[justinsb]

This was not really any clearer, because we have to map the group into SecurityGroup or Source. It might be a little simpler, but not a huge win

[justinsb]

I think we need to expand out the groups here. We can do that as a follow-on, I think

[justinsb]

Tackled in #5862

[justinsb]

Looking good! I have a follow-on for some of the edge-cases here (mixing security groups in a role, mixing override and default in a role) but I'll send a separate PR for those!

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrisz100, justinsb, rdrgmnzs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[machbio]

Thanks @justinsb , @chrislovecnm and @rdrgmnzs for the feature - what is the milestone release version for this feature ?