Description
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
I have a Kubernetes (v1.7) in AWS. I created a Service of type LoadBalancer and used the annotation service.beta.kubernetes.io/aws-load-balancer-extra-security-groups to apply an extra security group to the ELB that gets created.
The extra security group was created outside of Kubernetes, with the expectation that it is not owned by Kubernetes and will be managed independently.
I deleted the Service resource. Kubernetes then deleted the ELB and my extra security group.
What you expected to happen:
I expect my extra security group to not be deleted.
How to reproduce it (as minimally and precisely as possible):
In AWS, create security group that is otherwise unused. In Kubernetes, create Service of type LoadBalancer, include the annotation service.beta.kubernetes.io/aws-load-balancer-extra-security-group with the previously created security group. Watch an ELB be created with that security group. Delete the Service from Kubernetes. Watch the ELB be deleted (as expected) and the security group be deleted (unexpected).
Anything else we need to know?:
It seems a workaround may be to ensure the security group is in use by at least one other resource within AWS so that the deletion attempt will fail with a DependencyVioloation. The deletion process will eventually timeout, if I understand the code correctly.
I've linked to v1.7.16, though I don't see any additional behavior on master, so I believe the bug is there as well.
Environment:
- Kubernetes version (use
kubectl version): v1.7.16 - Cloud provider or hardware configuration: AWS