When tagging security groups, ensure cloud provider tag is only on lb #4571
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
size/L
|
I think this is helpful for preventing users from shooting themselves in the foot, though, how will users know that the security groups don't get those tags, should we log a line at least? |
vincepri
force-pushed
the
security-group-tag-owned
branch
from
207657b to
4c59deb
Compare
|
@JoelSpeed Good idea, added a debug log |
Signed-off-by: Vince Prignano <[email protected]>
vincepri
force-pushed
the
security-group-tag-owned
branch
from
4c59deb to
fbcf962
Compare
vincepri
changed the title
|
/lgtm Thanks for adding that log line, this is a good addition to stop people from creating broken clusters |
k8s-ci-robot
added
the
lgtm
|
/test ? |
|
@vincepri: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e |
|
/retest |
|
not related /retest |
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Because of how the CCM selects a Load Balancer security group by using the "kubernetes.io/cluster/<infraID>: owned" tag, CAPA removes that tag from all the other security groups [1]. That means that when the Installer is looking for resources to delete with that tag, it will never find those security groups and they'll stay behind. To avoid that, let's also search for resources with the "sigs.k8s.io/cluster-api-provider-aws/cluster/<infraID>: owned" tag during cluster destroy. [1] kubernetes-sigs/cluster-api-provider-aws#4571
What type of PR is this?
What this PR does / why we need it:
/kind cleanup
This is an improvement on the current logic that blindly sets tags on security groups. The cloud provider expects only a single load balancer to be tagged with
kubernetes.io/cluster/test = owned. By default, we already tag thelbsecurity group, we should ensure all the other security groups remain untagged.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note: