Skip to content

AWS security group (not created by kubernetes) deleted when deleting ELB #62204

Closed
@pmahoney-raise

Description

@pmahoney-raise

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

I have a Kubernetes (v1.7) in AWS. I created a Service of type LoadBalancer and used the annotation service.beta.kubernetes.io/aws-load-balancer-extra-security-groups to apply an extra security group to the ELB that gets created.

The extra security group was created outside of Kubernetes, with the expectation that it is not owned by Kubernetes and will be managed independently.

I deleted the Service resource. Kubernetes then deleted the ELB and my extra security group.

What you expected to happen:

I expect my extra security group to not be deleted.

How to reproduce it (as minimally and precisely as possible):

In AWS, create security group that is otherwise unused. In Kubernetes, create Service of type LoadBalancer, include the annotation service.beta.kubernetes.io/aws-load-balancer-extra-security-group with the previously created security group. Watch an ELB be created with that security group. Delete the Service from Kubernetes. Watch the ELB be deleted (as expected) and the security group be deleted (unexpected).

Anything else we need to know?:

It seems a workaround may be to ensure the security group is in use by at least one other resource within AWS so that the deletion attempt will fail with a DependencyVioloation. The deletion process will eventually timeout, if I understand the code correctly.

I've linked to v1.7.16, though I don't see any additional behavior on master, so I believe the bug is there as well.

Environment:

  • Kubernetes version (use kubectl version): v1.7.16
  • Cloud provider or hardware configuration: AWS

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions