Fixes #49445 by adding additional annotation to define ELB security group (AWS) #62774
Conversation
k8s-ci-robot
added
release-note
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
Thanks for the PR! So I may be missing something, but I think this is a breaking change - I might previously have been adding a security group to grant access via security-groups (which you can't otherwise do in the API), but I might still want access via a CIDR. This would block the CIDR. One hacky workaround: you could set the allowed-CIDR to something like How about another annotation? e.g. I think the logic would be that Another option is to allow source ranges to specify security groups, or some syntax to disallow all traffic, though I suspect because it's both a field and an annotation (and the field is shared across cloudproviders) that would be harder.. |
|
Hi, thanks for your review! |
k8s-ci-robot
added
size/M
|
I update the PR with the discussed proposal: given that the code is indeed pretty minimal, I'd love to use that to reason if this is really what we are looking for and code makes it easier in this case. |
|
/test pull-kubernetes-verify |
2 similar comments
|
/test pull-kubernetes-verify |
|
/test pull-kubernetes-verify |
|
Would it not also make sense that if someone used the following under the spec: loadBalancerSourceRanges:
The 0.0.0.0/0 inbound rule would no longer get created? One would assume that if they're assigning specific load balancer source Ip ranges they don't want everyone to have access... |
|
@wrstlrlp13 EDIT: that works, the 0.0.0.0/0 rule is only added for ICMP, so the 0.0.0.0/0 would not be allowed if we use the |
|
/retest |
|
@Raffo this seems like a reasonable addition. like @justinsb said the alternative is pretty hacky but what I've used in the past. Just for documentation sake it might make sense to make it more clear that it's replacing all SGs that would usually be defined. I would say change the last line in the comments to say "Differently from the annotation "service.beta.kubernetes.io/aws-load-balancer-extra-security-groups", this will replace all other security groups assigned to the ELB." at least if I'm reading the code correctly. 👍 |
|
You read it correctly, I'll make the change! |
|
@justinsb @chrislovecnm can you please take another look? |
|
👍 Really want this |
Raffo
changed the title
|
@Raffo Would it be possible to cherry-picked this to 1.12? It seems like a pretty small change and not having this capability causes security issues for us which we'd rather not leave open til 1.13. |
|
@matthias50 It's technically easy I guess, but it was stated that it is a new feature (it kind of is even though it's fixing something that we can easily say is a bug) and will not be chosen for cherry pick. |
|
@Raffo, I see the comment from @justinsb. I can see both sides of the story here in that we could look at this as a bug fix or a new feature. According to https://contributor.kubernetes.io/contributors/devel/cherry-picks/, it seems that the branch manager or the patch release team is the one that makes the call as to if this is something we can say is a bug which could be cherry picked or is a new feature. If it isn't too much trouble, would you mind submitting a PR to cherry pick this and see what the branch managers for 1.12 think (see https://github.com/kubernetes/sig-release/blob/master/releases/release-1.12/release_team.md)? Maybe they agree with @justinb, maybe not. Worst that could happen is that they say no. |
|
I'd rather ping them here than creating a useless PR that would need to be
closed then. I haven't checked the links, would you mind including the
relevant people in this conversation?
…On Mon, Nov 5, 2018, 23:23 Matt Martin ***@***.*** wrote:
@Raffo <https://github.com/Raffo>, I see the comment from @justinsb
<https://github.com/justinsb>. I can see both sides of the story here in
that we could look at this as a bug fix or a new feature. According to
https://contributor.kubernetes.io/contributors/devel/cherry-picks/, it
seems that the branch manager or the patch release team is the one that
makes the call as to if this is something we can say is a bug which could
be cherry picked or is a new feature.
If it isn't too much trouble, would you mind submitting a PR to cherry
pick this and see what the branch managers for 1.12 think (see
https://github.com/kubernetes/sig-release/blob/master/releases/release-1.12/release_team.md)?
Maybe they agree with @justinb <https://github.com/justinb>, maybe not.
Worst that could happen is that they say no.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#62774 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AApv1HJti5rW2Bq2HRoh-0gzSa2DvrNFks5usLp7gaJpZM4TZtge>
.
|
|
@dougm, @idealhack, @hoegaarden, @codenrhoden, is this PR one which could be cherry picked back to 1.12? |
|
I understand this is classified as a feature, but given this is kind of a bugfix (depending on how you look at it), is there any chance this could be cherry-picked to 1.11 as well @foxish ? EKS is still on 1.11 and this would solve a lot of problems with security group rule limits for restricted NLBs |
|
@matthias50 @Raffo @cam-cen For backporting you'd need the patch managers of the releases in question: As the doc states, they are the authority to bring those changes into Also you'd need the approval of the original approver (@justinsb in that case) on each of the cherry-pick PRs.
... so I'd start with convincing him that those changes need to go into |
|
@Raffo Thanks for this feature. I have some question regarding how this should be used. Is Because if |
|
You should be able to use the new annotation without having to specify the ranges, which is exactly the point of this PR. If there is any problem with that, please feel free to submit an issue and quote me on that. |
|
Perfect thanks. Let me open an issue with my findings. |
ghost
mentioned this pull request
|
This doesn't seem to work for me. The new SG I add outside K8S becomes managed by K8S and all the ports are added. I'm looking to have a range for the SG but all the ports that are added to the service are also added to the new SG |
|
This one should have really been implemented different, it is now very partly and inconvenient. With current implementation one cannot get rid of the empty default security groups created (which is really unneccesary). |
|
Using |
|
As @ghost mentioned--this is also needed on NLB's which add each allowance to the shared node SG individually instead of creating an SG as ELB's do. This of course causes the shared SG to hit the max more quickly. |
|
Hi And also I want to ask for kubernetes v1.15.9 |
…e.md Annotation `service.beta.kubernetes.io/aws-load-balancer-security-groups` is missing from the list of annotations that can be applied to an ELB. This annotation was introduced in kubernetes/kubernetes#62774 and refactored kubernetes/kubernetes#83446 to allow users to specify a set of existing security groups to attach to the ELB instead of using any precreated security groups.
What this PR does / why we need it:
This fixes #49445 by changing the way the SG are applied to AWS ELBs: previously, an ELB would always have a default SG, either a pre-created one or an ad hoc one that always allowed
0.0.0.0/0even if an annotation with a different security would be specified. This PR changes that by having the "extra" SG be the only one applied when it is specified as this is the way most of the people use AWS anyways: they predefine Security Groups with rules that work with them and they want to be applied.It would would be probably worth considering changing the name of the annotation as this change of behaviour doesn't really make it "extra".
Which issue(s) this PR fixes :
Fixes #49445
Special notes for your reviewer:
Please advise how to build and test this on AWS to do an integration test, I don't have prior experience with that.
Release note:
/cc @justinsb @chrislovecnm what do you think?