New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS security group (not created by kubernetes) deleted when deleting ELB #62204
Comments
@kubernetes/sig-aws-bugs |
@pmahoney-raise: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I have also experienced this same issue luckily we have a very strict iam policy for k8s in aws and did not give the controller access to delete the 'extra-security-group` we specified in the annotation. There also seems to not be a try/catch around deleting security groups when deleting ELBs. The flow looks like the following:
In this scenario the security group that is created by k8s for this ELB does not get deleted and is left behind. Here are some relevant logs,
|
I believe the solution should be to only have k8s try to delete security groups that it has ownership tags for. |
Another solution could be while assembling the list of security groups to "delete" subtract the set from the annotation aws-load-balancer-extra-security-groups |
A "workaround" for this issue is to add the SG as a source in the nodes SG |
I'm hitting the same issue on this one and it's causing cluster networking issues - Kubernetes deletes a shared SG which breaks my API access - I have added the shared ownership tag to the security group but it is still removed. Any ideas? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
This issue is affecting me as well. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
I have a Kubernetes (
v1.7
) in AWS. I created a Service of typeLoadBalancer
and used the annotationservice.beta.kubernetes.io/aws-load-balancer-extra-security-groups
to apply an extra security group to the ELB that gets created.The extra security group was created outside of Kubernetes, with the expectation that it is not owned by Kubernetes and will be managed independently.
I deleted the Service resource. Kubernetes then deleted the ELB and my extra security group.
What you expected to happen:
I expect my extra security group to not be deleted.
How to reproduce it (as minimally and precisely as possible):
In AWS, create security group that is otherwise unused. In Kubernetes, create Service of type
LoadBalancer
, include the annotationservice.beta.kubernetes.io/aws-load-balancer-extra-security-group
with the previously created security group. Watch an ELB be created with that security group. Delete the Service from Kubernetes. Watch the ELB be deleted (as expected) and the security group be deleted (unexpected).Anything else we need to know?:
It seems a workaround may be to ensure the security group is in use by at least one other resource within AWS so that the deletion attempt will fail with a DependencyVioloation. The deletion process will eventually timeout, if I understand the code correctly.
I've linked to
v1.7.16
, though I don't see any additional behavior onmaster
, so I believe the bug is there as well.Environment:
kubectl version
): v1.7.16The text was updated successfully, but these errors were encountered: