Additional ingress rules for control plane #4359
Conversation
k8s-ci-robot
added
release-note
|
/test ? |
|
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e |
|
|
||
| // AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane | ||
| // +optional | ||
| AdditionalControlPlaneIngressRules []IngressRule `json:"additionalControlPlaneIngressRules,omitempty"` |
There was a problem hiding this comment.
how is this different from AWSLoadBalancerSpec.IngressRules?
You mention in the PR desc it was a mistake but it seems we are keeping it?
| @@ -175,6 +175,19 @@ spec: | |||
| > | |||
| >An incorrectly configured Classic ELB can easily lead to a non-functional cluster. We strongly recommend you let Cluster API create the Classic ELB. | |||
|
|
|||
| ### Control Plane ingress rules | |||
|
|
|||
| It's possible to specify custom ingress rules for the control plane itself. To do so, add this to the AWSCluster specification: | |||
There was a problem hiding this comment.
Can you clarify/define what is "the control plane itself" in this context?
There was a problem hiding this comment.
There are couple of places where we can customize ingress rules. One of them is the control plane load balancer, which is responsible for external traffic, these 2 PRs are introducing the possibility to set custom rules for it #4228, #4304. Current PR makes it possible to customize ingress rules on the control plane machine directly, in our case we want worker machines to talk with the control plane through a specific port, it's a requirement for the RKE2.
There was a problem hiding this comment.
makes sense thanks! so this would be control plane machines/ec2 instances. Just to make sure I'm clear this could also be satisfied by setting your AdditionalSecurityGroups in those machines, correct? (Not saying that's the way to go and I have no objections to this change, just making sure we put all context together)
There was a problem hiding this comment.
AdditionalSecurityGroups is not the best option here because we want to leverage CAPA ability to manage the underlying infrastructure. AdditionalSecurityGroups requires SGs to be pre-created.
There was a problem hiding this comment.
Ideally, we need a field in AWS machine template for defining security groups but I don't know how this can be combined with already existing AdditionalSecurityGroups cc @richardcase
There was a problem hiding this comment.
Indeed AdditionalSecurityGroups []string in AWSCluster is not flexible enough, while other code locations have AdditionalSecurityGroups []AWSResourceReference which I believe would allow searching for CAPA-managed security groups. I'll take this into account for networking code improvements.
|
Dropped some questions Alex, it'd be good to provide some context on the PR desc to elaborate the use case which is driven this change and how it differs from #4228 |
|
/test pull-cluster-api-provider-aws-e2e-eks |
| } | ||
| ingressRules := s.scope.AdditionalControlPlaneIngressRules() | ||
| for i := range ingressRules { | ||
| if ingressRules[i].SourceSecurityGroupIDs == nil && ingressRules[i].SourceSecurityGroupRoles == nil { // if the rule doesn't have a source security group, use the control plane security group |
There was a problem hiding this comment.
This is called AdditionalControlPlaneIngressRules because it defaults to the controlPlane SG as the source, but as an API consumer I could set SourceSecurityGroupIDs to anything I want and so bypassing the intended API scope?
There was a problem hiding this comment.
Currently, there is no override, just adding new rules. The reason is that most likely we always want control plane to have rules for the API server and etcd.
|
/milestone v2.3.0 |
alexander-demicev
force-pushed
the
cpingress
branch
from
8b0a9f4 to
da9142d
Compare
|
/test ? |
|
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
lgtm |
|
@richardcase all tests are passing |
| @@ -175,6 +175,19 @@ spec: | |||
| > | |||
| >An incorrectly configured Classic ELB can easily lead to a non-functional cluster. We strongly recommend you let Cluster API create the Classic ELB. | |||
|
|
|||
| ### Control Plane ingress rules | |||
|
|
|||
| It's possible to specify custom ingress rules for the control plane itself. To do so, add this to the AWSCluster specification: | |||
There was a problem hiding this comment.
Indeed AdditionalSecurityGroups []string in AWSCluster is not flexible enough, while other code locations have AdditionalSecurityGroups []AWSResourceReference which I believe would allow searching for CAPA-managed security groups. I'll take this into account for networking code improvements.
|
@alexander-demicev - apart from the comments from @AndiDog is there anything outstanding on this? |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
@AndiDog I addressed all comments, thanks for the review |
| for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles { | ||
| ingressRules[i].SourceSecurityGroupIDs = append(ingressRules[i].SourceSecurityGroupIDs, s.scope.SecurityGroups()[sourceSGRole].ID) |
There was a problem hiding this comment.
Should use a set style for this, else over time, the list of SourceSecurityGroupIDs grows and becomes invalid as far as AWS is concerned.
| for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles { | |
| ingressRules[i].SourceSecurityGroupIDs = append(ingressRules[i].SourceSecurityGroupIDs, s.scope.SecurityGroups()[sourceSGRole].ID) | |
| securityGroupIDs := sets.New[string](ingressRules[i].SourceSecurityGroupIDs...) | |
| for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles { | |
| securityGroupIDs.Insert(s.scope.SecurityGroups()[sourceSGRole].ID) | |
| } | |
| ingressRules[i].SourceSecurityGroupIDs = sets.List[string](securityGroupIDs) |
alexander-demicev
force-pushed
the
cpingress
branch
from
796086d to
6c18a53
Compare
|
@JoelSpeed @AndiDog all should be fixed, thanks for reviews |
|
Bugs I picked up look to be fixed now, thanks @alexander-demicev |
k8s-ci-robot
added
the
needs-rebase
alexander-demicev
force-pushed
the
cpingress
branch
from
6c18a53 to
110f45d
Compare
|
/test ? |
|
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e |
|
@alexander-demicev - could you squash your commits? |
|
e2e test passed. |
Fix setting additional ingress rules for CP Update documentation with CP ingress rules
alexander-demicev
force-pushed
the
cpingress
branch
from
110f45d to
80dbe3a
Compare
k8s-ci-robot
removed
the
needs-rebase
| @@ -760,7 +779,7 @@ func TestAdditionalControlPlaneSecurityGroup(t *testing.T) { | |||
| t.Fatalf("Expected to port %d, got %d", tc.expectedAdditionalIngresRule.ToPort, r.ToPort) | |||
| } | |||
|
|
|||
| if !reflect.DeepEqual(r.SourceSecurityGroupIDs, tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs) { | |||
| if !sets.New[string](tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs...).Equal(sets.New[string](tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs...)) { | |||
There was a problem hiding this comment.
small nit:
why set comparison and not cmp.Equal (if you do not intend to use reflect library)?
There was a problem hiding this comment.
actually no reason :) I just felt like I could use a method provided by "sets" package since we make security groups a set in the controller logic.
There was a problem hiding this comment.
ok 🙂 just wanted to check if this has added benefit
|
/lgtm cc @richardcase for final approval |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/cherrypick release-2.2 |
|
@richardcase: #4359 failed to apply on top of branch "release-2.2": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR fixes mistake from #4228, initially, the intention was to allow adding custom ingress rules for the control plane itself and not for the load balancer.
cc @richardcase @fiunchinho
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note: