Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS NLB service doesn't remove Security Group rules on delete #57568

Closed
micahhausler opened this issue Dec 22, 2017 · 0 comments · Fixed by #57569
Closed

AWS NLB service doesn't remove Security Group rules on delete #57568

micahhausler opened this issue Dec 22, 2017 · 0 comments · Fixed by #57569
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@micahhausler
Copy link
Member

micahhausler commented Dec 22, 2017
edited

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug
/sig aws

What happened:

Created a service with k8s v1.9.0 and NLB annotation, then deleted it. The security group rules created for the NLB didn't get deleted.

What you expected to happen:

The Security group rules for NLB should have been removed. The kubernetes-controller-manager emitted this log:

W1222 20:42:15.153263       5 aws.go:2818] Error revoking security group ingress: "InvalidParameterValue: missing mandatory parameter: exactly one of remote-security-group, remote-ip-range, remote-ipv6-range, or prefix-list-id must be present\n\tstatus code: 400, request id: 65413c4f-b534-4b35-b70c-66b2169be1d4"

How to reproduce it (as minimally and precisely as possible):

With a K8s 1.9 cluster and grant k8s 1.9 additional permissions (Until kubernetes/kops#4095 lands in a kops release)

kops create cluster \
    --name example.cluster.k8s.local \
    --zones us-west-2a,us-west-2b,us-west-2c \
    --kubernetes-version https://storage.googleapis.com/kubernetes-release/release/v1.9.0/ \
    --yes

cat << EOF > nlb-iam-permissions.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "kopsK8sNLBMasterPermsRestrictive",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
EOF
aws iam put-role-policy \
    --role-name masters.example.cluster.k8s.local \
    --policy-name masters19.example.cluster.k8s.local \
    --policy-document file://nlb-iam-permissions.json

Create a service:

apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: default
  labels:
    app: nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
  externalTrafficPolicy: Local
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer
kubectl run nginx --image=nginx --port=80 --labels app=nginx
kubectl apply -f service.yaml

# Ensure the NLB works
sleep 360
NLB_ADDRESS=$(kubectl get svc nginx -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
curl http://$NLB_ADDRESS
kubectl logs -l app=nginx

# Delete the NLB
kubectl delete -f service.yaml

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): v1.9.0
  • Cloud provider or hardware configuration: AWS
  • OS (e.g. from /etc/os-release): Debian GNU/Linux 8 (jessie)
  • Kernel (e.g. uname -a): Linux ip-172-20-120-154 4.4.102-k8s #1 SMP Sun Nov 26 23:32:43 UTC 2017 x86_64 GNU/Linux
  • Install tools: kops
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/aws labels Dec 22, 2017
@micahhausler micahhausler mentioned this issue Dec 22, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Feb 25, 2018
Merge pull request #57569 from micahhausler/nlb-remove-fix
d1f3de9 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix AWS NLB delete error

**What this PR does / why we need it**:

Fixes an error when deleting an NLB in AWS

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #57568

**Special notes for your reviewer**:


**Release note**:

```release-note
Fixes an error when deleting an NLB in AWS - Fixes #57568
```

@justinsb  How do I get this into the `release-1.9` branch?
@baldeynz baldeynz mentioned this issue Apr 10, 2018
Closed
@krish7919 krish7919 mentioned this issue May 16, 2019
Closed
@gmorse-godaddy gmorse-godaddy mentioned this issue Aug 19, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix AWS NLB delete error micahhausler/kubernetes
2 participants
@micahhausler @k8s-ci-robot