filter redundant health check SG rules

Author: kishorj

pkg/service/model_build_target_group.go

@@ -5,20 +5,21 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"regexp"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
-	"sort"
-	"strconv"
-	"strings"
 )
 
 const (
@@ -395,9 +396,10 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
 	}, nil
 }
 
-func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, defaultSourceRanges []string) []elbv2model.NetworkingPeer {
+func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, defaultSourceRanges []string) ([]elbv2model.NetworkingPeer, bool) {
 	var sourceRanges []string
 	var peers []elbv2model.NetworkingPeer
+	customSourceRangesConfigured := true
 	for _, cidr := range t.service.Spec.LoadBalancerSourceRanges {
 		sourceRanges = append(sourceRanges, cidr)
 	}
@@ -406,6 +408,7 @@ func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, de
 	}
 	if len(sourceRanges) == 0 {
 		sourceRanges = defaultSourceRanges
+		customSourceRangesConfigured = false
 	}
 	for _, cidr := range sourceRanges {
 		peers = append(peers, elbv2model.NetworkingPeer{
@@ -414,7 +417,7 @@ func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, de
 			},
 		})
 	}
-	return peers
+	return peers, customSourceRangesConfigured
 }
 
 func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, tgPort intstr.IntOrString, preserveClientIP bool,
@@ -438,8 +441,9 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
 		},
 	}
 	trafficSource := fromVPC
+	customSourceRangesConfigured := false
 	if networkingProtocol == elbv2api.NetworkingProtocolUDP || preserveClientIP {
-		trafficSource = t.buildPeersFromSourceRanges(ctx, defaultSourceRanges)
+		trafficSource, customSourceRangesConfigured = t.buildPeersFromSourceRanges(ctx, defaultSourceRanges)
 	}
 	tgbNetworking := &elbv2model.TargetGroupBindingNetworking{
 		Ingress: []elbv2model.NetworkingIngressRule{
@@ -449,21 +453,9 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
 			},
 		},
 	}
-	if preserveClientIP || tgProtocol == corev1.ProtocolUDP || (hcPort.String() != healthCheckPortTrafficPort && hcPort.IntValue() != tgPort.IntValue()) {
-		var healthCheckPorts []elbv2api.NetworkingPort
-		networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
-		networkingHealthCheckPort := hcPort
-		if hcPort.String() == healthCheckPortTrafficPort {
-			networkingHealthCheckPort = tgPort
-		}
-		healthCheckPorts = append(healthCheckPorts, elbv2api.NetworkingPort{
-			Port:     &networkingHealthCheckPort,
-			Protocol: &networkingProtocolTCP,
-		})
-		tgbNetworking.Ingress = append(tgbNetworking.Ingress, elbv2model.NetworkingIngressRule{
-			From:  fromVPC,
-			Ports: healthCheckPorts,
-		})
+	if hcIngressRules := t.buildHealthCheckNetworkingIngressRules(trafficSource, fromVPC, tgPort, hcPort, tgProtocol,
+		preserveClientIP, customSourceRangesConfigured); len(hcIngressRules) > 0 {
+		tgbNetworking.Ingress = append(tgbNetworking.Ingress, hcIngressRules...)
 	}
 	return tgbNetworking
 }
@@ -483,3 +475,35 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNodeSelector(_ context.Co
 		MatchLabels: targetNodeLabels,
 	}, nil
 }
+
+func (t *defaultModelBuildTask) buildHealthCheckNetworkingIngressRules(trafficSource, hcSource []elbv2model.NetworkingPeer, tgPort, hcPort intstr.IntOrString,
+	tgProtocol corev1.Protocol, preserveClientIP, customSoureRanges bool) []elbv2model.NetworkingIngressRule {
+	if tgProtocol != corev1.ProtocolUDP &&
+		(hcPort.String() == healthCheckPortTrafficPort || hcPort.IntValue() == tgPort.IntValue()) {
+		if !preserveClientIP {
+			return []elbv2model.NetworkingIngressRule{}
+		}
+		if !customSoureRanges {
+			return []elbv2model.NetworkingIngressRule{}
+		}
+		for _, src := range trafficSource {
+			if src.IPBlock.CIDR == "0.0.0.0/0" {
+				return []elbv2model.NetworkingIngressRule{}
+			}
+		}
+	}
+	var healthCheckPorts []elbv2api.NetworkingPort
+	networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
+	networkingHealthCheckPort := hcPort
+	if hcPort.String() == healthCheckPortTrafficPort {
+		networkingHealthCheckPort = tgPort
+	}
+	healthCheckPorts = append(healthCheckPorts, elbv2api.NetworkingPort{
+		Port:     &networkingHealthCheckPort,
+		Protocol: &networkingProtocolTCP,
+	})
+	return []elbv2model.NetworkingIngressRule{{
+		From:  hcSource,
+		Ports: healthCheckPorts,
+	}}
+}

pkg/service/model_build_target_group_test.go

@@ -624,26 +624,6 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworking(t *testing.T
 							},
 						},
 					},
-					{
-						From: []elbv2.NetworkingPeer{
-							{
-								IPBlock: &elbv2api.IPBlock{
-									CIDR: "172.16.0.0/19",
-								},
-							},
-							{
-								IPBlock: &elbv2api.IPBlock{
-									CIDR: "1.2.3.4/19",
-								},
-							},
-						},
-						Ports: []elbv2api.NetworkingPort{
-							{
-								Protocol: &networkingProtocolTCP,
-								Port:     &port80,
-							},
-						},
-					},
 				},
 			},
 		},
@@ -837,6 +817,57 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworking(t *testing.T
 				},
 			},
 		},
+		{
+			name: "tcp-service with preserve Client IP, hc is traffic port, source range specified and contains 0/0",
+			svc: &corev1.Service{
+				Spec: corev1.ServiceSpec{
+					LoadBalancerSourceRanges: []string{"10.0.0.0/16", "1.2.3.4/24", "0.0.0.0/0"},
+				},
+			},
+			tgPort: port80,
+			hcPort: port80,
+			subnets: []*ec2.Subnet{
+				{
+					CidrBlock: aws.String("172.16.0.0/19"),
+					SubnetId:  aws.String("sn-1"),
+				},
+				{
+					CidrBlock: aws.String("1.2.3.4/19"),
+					SubnetId:  aws.String("sn-2"),
+				},
+			},
+			tgProtocol:       corev1.ProtocolTCP,
+			preserveClientIP: true,
+			want: &elbv2.TargetGroupBindingNetworking{
+				Ingress: []elbv2.NetworkingIngressRule{
+					{
+						From: []elbv2.NetworkingPeer{
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "10.0.0.0/16",
+								},
+							},
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "1.2.3.4/24",
+								},
+							},
+							{
+								IPBlock: &elbv2api.IPBlock{
+									CIDR: "0.0.0.0/0",
+								},
+							},
+						},
+						Ports: []elbv2api.NetworkingPort{
+							{
+								Protocol: &networkingProtocolTCP,
+								Port:     &port80,
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/service/model_builder_test.go

@@ -1265,31 +1265,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
                                   "port":31223
                                }
                             ]
-                         },
-                         {
-                            "from":[
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.0.0/19"
-                                  }
-                               },
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.32.0/19"
-                                  }
-                               },
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.64.0/19"
-                                  }
-                               }
-                            ],
-                            "ports":[
-                               {
-                                  "protocol":"TCP",
-                                  "port":31223
-                               }
-                            ]
                          }
                       ]
                    }
@@ -1330,31 +1305,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
                                   "port":32323
                                }
                             ]
-                         },
-                         {
-                            "from":[
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.0.0/19"
-                                  }
-                               },
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.32.0/19"
-                                  }
-                               },
-                               {
-                                  "ipBlock":{
-                                     "cidr":"192.168.64.0/19"
-                                  }
-                               }
-                            ],
-                            "ports":[
-                               {
-                                  "protocol":"TCP",
-                                  "port":32323
-                               }
-                            ]
                          }
                       ]
                    }
@@ -1974,21 +1924,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
                         "port": 80
                       }
                     ]
-                  },
-                  {
-                    "from": [
-                      {
-                        "ipBlock": {
-                          "cidr": "192.168.0.0/19"
-                        }
-                      }
-                    ],
-                    "ports": [
-                      {
-                        "protocol": "TCP",
-                        "port": 80
-                      }
-                    ]
                   }
                 ]
               },