disable restricted sg rules by default

kishorj · kishorj · commit 05ad73abef76 · 2021-10-25T10:20:33.000-07:00
diff --git a/helm/aws-load-balancer-controller/Chart.yaml b/helm/aws-load-balancer-controller/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
-version: 1.3.1
+version: 1.3.2
 appVersion: v2.3.0
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
@@ -210,5 +210,6 @@ The default values set by the application itself can be confirmed [here](https:/
 | `updateStrategy`                            | Defines the update strategy for the deployment                                                           | `{}`                                                                               |
 | `enableCertManager`                         | If enabled, cert-manager issues the webhook certificates instead of the helm template                    | `false`                                                                            |
 | `enableEndpointSlices`                      | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets                       | `false`                                                                            |
-| `enableBackendSecurityGroup`                | If enabled, controller uses shared security group for backend traffic                                    | `true`                                                                            |
-| `backendSecurityGroup`                      | Backend security group to use instead of auto created one if the feature is enabled                      | ``                                                                            |
+| `enableBackendSecurityGroup`                | If enabled, controller uses shared security group for backend traffic                                    | `true`                                                                             |
+| `backendSecurityGroup`                      | Backend security group to use instead of auto created one if the feature is enabled                      | ``                                                                                 |
+| `disableRestrictedSecurityGroupRules`       | If disabled, controller will not specify port range restriction in the backend security group rules      | `true`                                                                             |
diff --git a/helm/aws-load-balancer-controller/templates/deployment.yaml b/helm/aws-load-balancer-controller/templates/deployment.yaml
@@ -128,6 +128,9 @@ spec:
         {{- if .Values.backendSecurityGroup }}
         - --backend-security-group={{ .Values.backendSecurityGroup }}
         {{- end }}
+        {{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }}
+        - --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }}
+        {{- end }}
         {{- if .Values.env }}
         env:
         {{- range $key, $value := .Values.env }}
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -221,4 +221,7 @@ enableEndpointSlices:
 enableBackendSecurityGroup:
 
 # backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
-backendSecurityGroup:
+backendSecurityGroup:
+
+# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic
+disableRestrictedSecurityGroupRules: true
