Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop unwanted SGs when calling attachSecurityGroupsToNetworkInterface #4363

Merged
merged 1 commit into from
Jul 3, 2023
Merged

Drop unwanted SGs when calling attachSecurityGroupsToNetworkInterface #4363

merged 1 commit into from
Jul 3, 2023

Conversation

enxebre
Copy link
Member

@enxebre enxebre commented Jun 27, 2023
edited
Loading

Before this, attachSecurityGroupsToNetworkInterface was re-applying existing SGs not specified in user intent. It's up to the caller to choose the right list of SG ids as in

cluster-api-provider-aws/controllers/awsmachine_security_groups.go

Lines 57 to 64 in 3ebf018

changed, ids := r.securityGroupsChanged(annotation, core, additionalSecurityGroupsIDs, existing)
if !changed {
return false, nil
}
if err := ec2svc.UpdateInstanceSecurityGroups(*scope.GetInstanceID(), ids); err != nil {
return false, err
}
so then attachSecurityGroupsToNetworkInterface just applies what is given.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #4361

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

Release note:

attachSecurityGroupsToNetworkInterface do not re-apply existing security groups which are not specified by the user intent

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 27, 2023
@k8s-ci-robot k8s-ci-robot added needs-priority size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 27, 2023
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 27, 2023
@richardcase
Copy link
Member

/test ?

@k8s-ci-robot
Copy link
Contributor

@richardcase: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-provider-aws-apidiff-main
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-blocking
  • /test pull-cluster-api-provider-aws-e2e-clusterclass
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e-eks
  • /test pull-cluster-api-provider-aws-e2e-eks-gc
  • /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-provider-aws-apidiff-main
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 28, 2023
@enxebre
Copy link
Member Author

enxebre commented Jun 28, 2023

/test pull-cluster-api-provider-aws-e2e

@enxebre
Copy link
Member Author

enxebre commented Jun 28, 2023 

#7 [internal] load metadata for docker.io/library/golang:1.19.5
#7 ERROR: failed to copy: httpReadSeeker: failed open: content at https://mirror.gcr.io/v2/library/golang/manifests/sha256:572f68065ea605e0bd7ab42aa036462318e680a15db0f41a0cadcd06affdabdb?ns=docker.io not found: not found

@enxebre
Copy link
Member Author

enxebre commented Jun 29, 2023

/test pull-cluster-api-provider-aws-e2e

@richardcase
Copy link
Member

@enxebre - this probably needs a rebase so that it picks up the change to the Dockerfile that uses a public ECR registry for the golang image.

@enxebre
Drop unwanted SGs when calling attachSecurityGroupsToNetworkInterface
c7062cb 
Before this, attachSecurityGroupsToNetworkInterface was re-applying existing SGs not specified in user intent.
It's up to the caller to choose the right list of SG ids as in https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/3ebf018bbfc5345fbd9d9598ea9392b2a349ed6c/controllers/awsmachine_security_groups.go#L57-L64 so then attachSecurityGroupsToNetworkInterface just applies what is given.
@enxebre
Copy link
Member Author

enxebre commented Jun 30, 2023

thanks Richard! rebased.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e

@richardcase
Copy link
Member

/milestone v2.2.0

@k8s-ci-robot k8s-ci-robot added this to the v2.2.0 milestone Jun 30, 2023
@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e-eks

@richardcase
Copy link
Member

All the tests passed, so:

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 3, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2023
@k8s-ci-robot k8s-ci-robot merged commit 295efb0 into kubernetes-sigs:main Jul 3, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AverageMarcus AverageMarcus Awaiting requested review from AverageMarcus

@richardcase richardcase Awaiting requested review from richardcase

Assignees

@richardcase richardcase

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.

Security groups intent not honoured
3 participants
@enxebre @richardcase @k8s-ci-robot