Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow customization of ingress rules in control plane LB security group #4304

Merged
merged 1 commit into from
Jun 7, 2023
Merged

Allow customization of ingress rules in control plane LB security group #4304

merged 1 commit into from
Jun 7, 2023

Conversation

fiunchinho
Copy link
Contributor

@fiunchinho fiunchinho commented Jun 1, 2023
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

We would like to customize the ingress rules that are included in the security group created for the control plane Load Balancer. Currently, capa always adds an ingress rule to allow traffic towards the k8s api from everywhere (0.0.0.0/0). But we would like to have more control over this. We would like to only allow traffic coming from our VPNs.

With the changes in this PR, when no additional ingress rules are defined, we add the ingress rule to allow traffic from everywhere. That way we are backwards compatible. But when additional rules are defined, these will be used instead.

Checklist:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

Release note:

Allow customization of ingress rules in control plane Load Balancer security group

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority labels Jun 1, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @fiunchinho!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 1, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @fiunchinho. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fiunchinho
Copy link
Contributor Author

Adding @richardcase and @alexander-demicev as we talked about this in Slack.

@alexander-demicev
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 1, 2023
@alexander-demicev
Copy link
Contributor

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

alexander-demicev
alexander-demicev reviewed Jun 1, 2023
View reviewed changes
Copy link
Contributor

@alexander-demicev alexander-demicev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic itself looks okay to me. However, the API field name AdditionalIngressRules might be confusing to users since the change is not only defining new ingress rules but also overriding already defined rules. We haven't released this API field yet, so it can still be changed to something like CustomIngressRules. What do you think?

Also, what about the IPv6 rules below?

@fiunchinho fiunchinho force-pushed the additional-ingress-rules-cp-lb branch 2 times, most recently from 277eb0b to 7fb8bd1 Compare June 1, 2023 14:38
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 1, 2023
@fiunchinho
Copy link
Contributor Author

Also, what about the IPv6 rules below?

I've changed the logic so that when no additional rules are defined and we want to use the default rules, we either use IPv6 or IPv4 depending on whether IPv6 is enabled or not.

@fiunchinho fiunchinho force-pushed the additional-ingress-rules-cp-lb branch from 7fb8bd1 to 35cc1af Compare June 1, 2023 15:13
@fiunchinho
Copy link
Contributor Author

I pushed a new change to rename the field from additionalIngressRules to simply IngressRules. The name CustomIngressRules seem redundant to me, because we have many fields where we use a default when it's not set, and we don't call it CustomSomething. So IngressRules made sense to me. What do you think?

@fiunchinho
Copy link
Contributor Author

/retest

@fiunchinho
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

@fiunchinho fiunchinho mentioned this pull request Jun 1, 2023
Closed
alexander-demicev
alexander-demicev reviewed Jun 5, 2023
View reviewed changes
Copy link
Contributor

@alexander-demicev alexander-demicev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, there is also a small piece of documentation that needs to be updated https://cluster-api-aws.sigs.k8s.io/topics/bring-your-own-aws-infrastructure.html?highlight=ingress#control-plane-load-balancer

@fiunchinho fiunchinho force-pushed the additional-ingress-rules-cp-lb branch from 35cc1af to 9241ebc Compare June 5, 2023 13:57
@AverageMarcus
Copy link
Member

/lgtm

Just needs approval from a maintainer :)

/assign @richardcase @Ankitasw @Skarlso

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 6, 2023
@Skarlso
Copy link
Contributor

Skarlso commented Jun 6, 2023

Looks okay except for that small refactor. :) Then it should be fine. :)

@fiunchinho fiunchinho changed the title Add additional ingress rules to control plane Load Balancer Allow customization of ingress rules in control plane LB security group Jun 6, 2023
@fiunchinho fiunchinho force-pushed the additional-ingress-rules-cp-lb branch from a72a71d to b4928b2 Compare June 6, 2023 11:19
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 6, 2023
@fiunchinho
Copy link
Contributor Author

/retest
/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

@Skarlso
Copy link
Contributor

Skarlso commented Jun 6, 2023
edited
Loading 

E0606 11:34:44.467623       1 controller.go:329] "Reconciler error" err=<
	failed to create one or more IP addresses for NAT gateways: failed to allocate Elastic IP: AddressLimitExceeded: The maximum number of addresses has been reached.
		status code: 400, request id: 162c8357-0949-45bc-b298-c9b3b41b9a17
 > controller="awscluster" controllerGroup="infrastructure.cluster.x-k8s.io" controllerKind="AWSCluster" AWSCluster="functional-test-ssm-parameter-store-clusterclass-6jt77v/cluster-vetjuj-sc9q9" namespace="functional-test-ssm-parameter-store-clusterclass-6jt77v" name="cluster-vetjuj-sc9q9" reconcileID="5e8ecaea-9c47-492c-86a8-2281666b5bc8"

Pfff...

Now we have to find out if we actually created that many, or there is a problem on the account. I've seen sometimes that when there is an error it kept creating security groups when it eventually reached the limit withing a couple seconds haha.

@fiunchinho
Copy link
Contributor Author 

E0606 11:34:44.467623       1 controller.go:329] "Reconciler error" err=<
	failed to create one or more IP addresses for NAT gateways: failed to allocate Elastic IP: AddressLimitExceeded: The maximum number of addresses has been reached.
		status code: 400, request id: 162c8357-0949-45bc-b298-c9b3b41b9a17
 > controller="awscluster" controllerGroup="infrastructure.cluster.x-k8s.io" controllerKind="AWSCluster" AWSCluster="functional-test-ssm-parameter-store-clusterclass-6jt77v/cluster-vetjuj-sc9q9" namespace="functional-test-ssm-parameter-store-clusterclass-6jt77v" name="cluster-vetjuj-sc9q9" reconcileID="5e8ecaea-9c47-492c-86a8-2281666b5bc8"

Pfff...

Now we have to find out if we actually created that many, or there is a problem on the account. I've seen sometimes that when there is an error it kept creating security groups when it eventually reached the limit withing a couple seconds haha.

What should I do now? I think the only thing I can do is to re-trigger and hope for the best 😄

@Skarlso
Copy link
Contributor

Skarlso commented Jun 6, 2023

Nah, don't re-trigger. If the account has a problem we are just adding to it. So let's leave it for a little while and hope it cleans up. 🤷

@Skarlso
Copy link
Contributor

Skarlso commented Jun 7, 2023

/test pull-cluster-api-provider-aws-e2e

@fiunchinho
Copy link
Contributor Author

All green now 😸

@Skarlso
Copy link
Contributor

Skarlso commented Jun 7, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 7, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Skarlso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 7, 2023
@k8s-ci-robot k8s-ci-robot merged commit 6705ad8 into kubernetes-sigs:main Jun 7, 2023
@richardcase
Copy link
Member

/milestone v2.2.0

@k8s-ci-robot k8s-ci-robot added this to the v2.2.0 milestone Jun 30, 2023
@alexander-demicev alexander-demicev mentioned this pull request Jul 3, 2023
Merged
4 tasks
@fiunchinho fiunchinho mentioned this pull request Jul 20, 2023
Merged
4 tasks
@snehala27 snehala27 mentioned this pull request Aug 30, 2023
Open
@fiunchinho fiunchinho mentioned this pull request Oct 9, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Skarlso Skarlso Skarlso left review comments

@AverageMarcus AverageMarcus AverageMarcus left review comments

@alexander-demicev alexander-demicev alexander-demicev approved these changes

@pydctw pydctw Awaiting requested review from pydctw

@shivi28 shivi28 Awaiting requested review from shivi28

Assignees

@Skarlso Skarlso

@richardcase richardcase

@AverageMarcus AverageMarcus

@Ankitasw Ankitasw

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.
7 participants
@fiunchinho @k8s-ci-robot @alexander-demicev @AverageMarcus @Skarlso @richardcase @Ankitasw