Add support for specifying source ranges for NLB (kubernetes-sigs#1492)

* add support for specifying source ranges for NLB

* address comments

Author: kishorj

pkg/annotations/constants.go

@@ -42,6 +42,7 @@ const (
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
+	SvcLBSuffixSourceRanges                  = "load-balancer-source-ranges"
 	SvcLBSuffixLoadBalancerType              = "aws-load-balancer-type"
 	SvcLBSuffixInternal                      = "aws-load-balancer-internal"
 	SvcLBSuffixProxyProtocol                 = "aws-load-balancer-proxy-protocol"

pkg/service/nlb/builder.go

@@ -486,41 +486,76 @@ func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tar
 	})
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(_ context.Context, tgPort intstr.IntOrString, hcPort intstr.IntOrString,
-	tgProtocol corev1.Protocol, ec2Subnets []*ec2.Subnet) *elbv2model.TargetGroupBindingNetworking {
-	var from []elbv2model.NetworkingPeer
-	networkingProtocol := elbv2api.NetworkingProtocolTCP
-	if tgProtocol == corev1.ProtocolUDP {
-		networkingProtocol = elbv2api.NetworkingProtocolUDP
+func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context) []elbv2model.NetworkingPeer {
+	var sourceRanges []string
+	var peers []elbv2model.NetworkingPeer
+	for _, cidr := range t.service.Spec.LoadBalancerSourceRanges {
+		sourceRanges = append(sourceRanges, cidr)
 	}
+	if len(sourceRanges) == 0 {
+		t.annotationParser.ParseStringSliceAnnotation(annotations.SvcLBSuffixSourceRanges, &sourceRanges, t.service.Annotations)
+	}
+	if len(sourceRanges) == 0 {
+		sourceRanges = append(sourceRanges, "0.0.0.0/0")
+	}
+	for _, cidr := range sourceRanges {
+		peers = append(peers, elbv2model.NetworkingPeer{
+			IPBlock: &elbv2api.IPBlock{
+				CIDR: cidr,
+			},
+		})
+	}
+	return peers
+}
+
+func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, tgPort intstr.IntOrString, hcPort intstr.IntOrString,
+	tgProtocol corev1.Protocol, ec2Subnets []*ec2.Subnet) *elbv2model.TargetGroupBindingNetworking {
+	var fromVPC []elbv2model.NetworkingPeer
 	for _, subnet := range ec2Subnets {
-		from = append(from, elbv2model.NetworkingPeer{
+		fromVPC = append(fromVPC, elbv2model.NetworkingPeer{
 			IPBlock: &elbv2api.IPBlock{
 				CIDR: aws.StringValue(subnet.CidrBlock),
 			},
 		})
 	}
-	ports := []elbv2api.NetworkingPort{
+	networkingProtocol := elbv2api.NetworkingProtocolTCP
+	if tgProtocol == corev1.ProtocolUDP {
+		networkingProtocol = elbv2api.NetworkingProtocolUDP
+	}
+	trafficPorts := []elbv2api.NetworkingPort{
 		{
 			Port:     &tgPort,
 			Protocol: &networkingProtocol,
 		},
 	}
-	if hcPort.String() != healthCheckPortTrafficPort && hcPort.IntValue() != tgPort.IntValue() {
-		networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
-		ports = append(ports, elbv2api.NetworkingPort{
-			Port:     &hcPort,
-			Protocol: &networkingProtocolTCP,
-		})
+	trafficSource := fromVPC
+	if networkingProtocol == elbv2api.NetworkingProtocolUDP {
+		trafficSource = t.buildPeersFromSourceRanges(ctx)
 	}
 	tgbNetworking := &elbv2model.TargetGroupBindingNetworking{
 		Ingress: []elbv2model.NetworkingIngressRule{
 			{
-				From:  from,
-				Ports: ports,
+				From:  trafficSource,
+				Ports: trafficPorts,
 			},
 		},
 	}
+	if tgProtocol == corev1.ProtocolUDP || (hcPort.String() != healthCheckPortTrafficPort && hcPort.IntValue() != tgPort.IntValue()) {
+		var healthCheckPorts []elbv2api.NetworkingPort
+		networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
+		networkingHealthCheckPort := hcPort
+		if hcPort.String() == healthCheckPortTrafficPort {
+			networkingHealthCheckPort = tgPort
+		}
+		healthCheckPorts = append(healthCheckPorts, elbv2api.NetworkingPort{
+			Port:     &networkingHealthCheckPort,
+			Protocol: &networkingProtocolTCP,
+		})
+		tgbNetworking.Ingress = append(tgbNetworking.Ingress, elbv2model.NetworkingIngressRule{
+			From:  fromVPC,
+			Ports: healthCheckPorts,
+		})
+	}
 	return tgbNetworking
 }
 

pkg/service/nlb/builder_test.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"errors"
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/deploy"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -374,7 +376,23 @@ func Test_defaultModelBuilderTask_buildNLB(t *testing.T) {
                                  {
                                     "protocol":"TCP",
                                     "port":80
+                                 }
+                              ]
+                           },
+                           {
+                              "from":[
+                                 {
+                                    "ipBlock":{
+                                       "cidr":"172.20.32.0/19"
+                                    }
                                  },
+                                 {
+                                    "ipBlock":{
+                                       "cidr":"172.20.64.0/19"
+                                    }
+                                 }
+                              ],
+                              "ports":[
                                  {
                                     "protocol":"TCP",
                                     "port":8888
@@ -678,7 +696,28 @@ func Test_defaultModelBuilderTask_buildNLB(t *testing.T) {
                                  {
                                     "protocol":"TCP",
                                     "port":8883
+                                 }
+                              ]
+                           },
+                           {
+                              "from":[
+                                 {
+                                    "ipBlock":{
+                                       "cidr":"10.1.1.1/32"
+                                    }
                                  },
+                                 {
+                                    "ipBlock":{
+                                       "cidr":"10.1.1.2/32"
+                                    }
+                                 },
+                                 {
+                                    "ipBlock":{
+                                       "cidr":"10.1.1.3/32"
+                                    }
+                                 }
+                              ],
+                              "ports":[
                                  {
                                     "protocol":"TCP",
                                     "port":80
@@ -1118,3 +1157,226 @@ func Test_defaultModelBuilderTask_buildSubnetMappings(t *testing.T) {
 		})
 	}
 }
+
+func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworking(t *testing.T) {
+	networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
+	networkingProtocolUDP := elbv2api.NetworkingProtocolUDP
+	port80 := intstr.FromInt(80)
+	port808 := intstr.FromInt(808)
+	trafficPort := intstr.FromString("traffic-port")
+
+	tests := []struct {
+		name       string
+		svc        *corev1.Service
+		tgPort     intstr.IntOrString
+		hcPort     intstr.IntOrString
+		subnets    []*ec2.Subnet
+		tgProtocol corev1.Protocol
+		want       *elbv2.TargetGroupBindingNetworking
+	}{
+		{
+			name: "udp-service with source ranges",
+			svc: &corev1.Service{
+				Spec: corev1.ServiceSpec{
+					LoadBalancerSourceRanges: []string{"10.0.0.0/16", "1.2.3.4/24"},
+				},
+			},
+			tgPort: port80,
+			hcPort: trafficPort,
+			subnets: []*ec2.Subnet{{
+				CidrBlock: aws.String("172.16.0.0/19"),
+				SubnetId:  aws.String("az-1"),
+			}},
+			tgProtocol: corev1.ProtocolUDP,
+			want: &elbv2.TargetGroupBindingNetworking{
+				Ingress: []elbv2.NetworkingIngressRule{
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "10.0.0.0/16",
+								},
+							},
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "1.2.3.4/24",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolUDP,
+								Port:     &port80,
+							},
+						},
+					},
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "172.16.0.0/19",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port80,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "udp-service with source ranges annotation",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/load-balancer-source-ranges": "1.2.3.4/17, 5.6.7.8/18",
+					},
+				},
+			},
+			tgPort: port80,
+			hcPort: port808,
+			subnets: []*ec2.Subnet{{
+				CidrBlock: aws.String("172.16.0.0/19"),
+				SubnetId:  aws.String("az-1"),
+			}},
+			tgProtocol: corev1.ProtocolUDP,
+			want: &elbv2.TargetGroupBindingNetworking{
+				Ingress: []elbv2.NetworkingIngressRule{
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "1.2.3.4/17",
+								},
+							},
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "5.6.7.8/18",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolUDP,
+								Port:     &port80,
+							},
+						},
+					},
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "172.16.0.0/19",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port808,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "udp-service with no source ranges configuration",
+			svc:    &corev1.Service{},
+			tgPort: port80,
+			hcPort: port808,
+			subnets: []*ec2.Subnet{{
+				CidrBlock: aws.String("172.16.0.0/19"),
+				SubnetId:  aws.String("az-1"),
+			}},
+			tgProtocol: corev1.ProtocolUDP,
+			want: &elbv2.TargetGroupBindingNetworking{
+				Ingress: []elbv2.NetworkingIngressRule{
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "0.0.0.0/0",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolUDP,
+								Port:     &port80,
+							},
+						},
+					},
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "172.16.0.0/19",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port808,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "tcp-service with traffic-port hc",
+			svc:    &corev1.Service{},
+			tgPort: port80,
+			hcPort: trafficPort,
+			subnets: []*ec2.Subnet{
+				{
+					CidrBlock: aws.String("172.16.0.0/19"),
+					SubnetId:  aws.String("sn-1"),
+				},
+				{
+					CidrBlock: aws.String("1.2.3.4/19"),
+					SubnetId:  aws.String("sn-2"),
+				},
+			},
+			tgProtocol: corev1.ProtocolTCP,
+			want: &elbv2.TargetGroupBindingNetworking{
+				Ingress: []elbv2.NetworkingIngressRule{
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "172.16.0.0/19",
+								},
+							},
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "1.2.3.4/19",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port80,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			parser := annotations.NewSuffixAnnotationParser("service.beta.kubernetes.io")
+			builder := &defaultModelBuildTask{service: tt.svc, annotationParser: parser}
+			got := builder.buildTargetGroupBindingNetworking(context.Background(), tt.tgPort, tt.hcPort, tt.tgProtocol, tt.subnets)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}