Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor NLB securityGroup handling #74692

Merged
merged 1 commit into from May 30, 2019

Conversation

@M00nF1sh
Copy link
Contributor

commented Feb 28, 2019

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change

/kind bug

/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
Refactor securityGroup handling part of NLB

Which issue(s) this PR fixes:

Fixes #57212

Special notes for your reviewer:
This is not intended as an fully securityGroup handling refactor, but just as an intermediary step.
Current approach still have some limitation as before:

  1. If same SG rules are required by multiple LB(will be common when we need to add support for POD IP mode). Future improvements can be use comma seprated description to identify rules are shared by multiple LB. e.g. (NLB=lb1,NLB=lb2). And when add/remove permissions, we update the description as needed, and use an in-process lock for updating shared securityGroup like node securityGroup)
  2. Do we really needs to support multiple securityGroup on worker nodes? Is there any k8s distribution on AWS that relies on that?
  3. Previous ICMP rules(kubernetes.io/rule/nlb/mtu=LBName) won't be cleaned up. This can be improved by change my IPPermissionMatchDesc to be regex based or add an "IsExactMatch" param.Not sure whether it's needed since NLB is alpha feature.
  4. Test done:
    1. create multiple NLB service with different loadBalancerSourceRanges, verified the correct ICMP/client/healthcheck rules been applied.
    2. modify loadBalancerSourceRanges on these NLBs, verified the ICMP/client rules been updated.
    3. delete these NLB services, verified ICMP/client/healthcheck rules been deleted.

Does this PR introduce a user-facing change?:

refactor AWS NLB securityGroup handling

@k8s-ci-robot k8s-ci-robot requested review from justinsb and micahhausler Feb 28, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:fix_sg branch 2 times, most recently from ab76822 to 67d043d Feb 28, 2019

@M00nF1sh M00nF1sh changed the title [WIP]refactor NLB securityGroup handling refactor NLB securityGroup handling Feb 28, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:fix_sg branch 2 times, most recently from def6392 to bddb9bf Feb 28, 2019

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented Mar 6, 2019

/assign @micahhausler

@micahhausler
Copy link
Member

left a comment

/lgtm
/approve

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:fix_sg branch from 1fad0b9 to e54a030 May 28, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:fix_sg branch from e54a030 to c845f5e May 28, 2019

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented May 29, 2019

/milestone v1.15

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 29, 2019

@M00nF1sh: You must be a member of the kubernetes/kubernetes-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@micahhausler
Copy link
Member

left a comment

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 30, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented May 30, 2019

/test pull-kubernetes-e2e-gce-100-performance

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented May 30, 2019

/retest

@k8s-ci-robot k8s-ci-robot merged commit 009f7a0 into kubernetes:master May 30, 2019

20 of 21 checks passed

pull-kubernetes-e2e-gce-100-performance Job triggered.
Details
cla/linuxfoundation M00nF1sh authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

@M00nF1sh: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-100-performance c845f5e link /test pull-kubernetes-e2e-gce-100-performance

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@joshimhoff

This comment has been minimized.

Copy link

commented Jun 5, 2019

@M00nF1sh, when would you expect this to land on EKS? Will it be released in a certain k8s release that I can watch out for?

Thanks for the bug fixes!

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented Jun 5, 2019

@joshimhoff
Hi, this will be released as k8s v1.15 release. I'll check whether it's feasible to backport this to v1.12/v1.13 for EKS 😄

@joshimhoff

This comment has been minimized.

Copy link

commented Jun 5, 2019

Awesome, thanks for the info! A backport would be really great!

@pmnhatdn

This comment has been minimized.

Copy link

commented Aug 17, 2019

@M00nF1sh any update on backporting this change to v1.12 and v1.13?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.