kubernetes-sigs
diff --git a/‎controllers/ingress/group_controller.go
Lines changed: 1 addition & 1 deletion b/‎controllers/ingress/group_controller.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎main.go
Lines changed: 1 addition & 1 deletion b/‎main.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/config/controller_config.go
Lines changed: 8 additions & 0 deletions b/‎pkg/config/controller_config.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/ingress/model_build_target_group.go
Lines changed: 44 additions & 14 deletions b/‎pkg/ingress/model_build_target_group.go
Lines changed: 44 additions & 14 deletions
diff --git a/‎pkg/ingress/model_builder.go
Lines changed: 58 additions & 54 deletions b/‎pkg/ingress/model_builder.go
Lines changed: 58 additions & 54 deletions
@@ -57,7 +57,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		annotationParser, subnetsResolver,
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager,
 		cloud.VpcID(), config.ClusterName, config.DefaultTags, config.ExternalManagedTags,
-		config.DefaultSSLPolicy, backendSGProvider, config.EnableBackendSecurityGroup, logger)
+		config.DefaultSSLPolicy, backendSGProvider, config.EnableBackendSecurityGroup, config.DisableRestrictedSGRules, logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
 		config, ingressTagPrefix, logger)
 
@@ -107,7 +107,7 @@ func main() {
 	subnetResolver := networking.NewDefaultSubnetsResolver(azInfoProvider, cloud.EC2(), cloud.VpcID(), controllerCFG.ClusterName, ctrl.Log.WithName("subnets-resolver"))
 	vpcResolver := networking.NewDefaultVPCResolver(cloud.EC2(), cloud.VpcID(), ctrl.Log.WithName("vpc-resolver"))
 	tgbResManager := targetgroupbinding.NewDefaultResourceManager(mgr.GetClient(), cloud.ELBV2(), cloud.EC2(),
-		podInfoRepo, sgManager, sgReconciler, cloud.VpcID(), controllerCFG.ClusterName, mgr.GetEventRecorderFor("targetGroupBinding"), ctrl.Log, controllerCFG.EnableEndpointSlices)
+		podInfoRepo, sgManager, sgReconciler, cloud.VpcID(), controllerCFG.ClusterName, mgr.GetEventRecorderFor("targetGroupBinding"), ctrl.Log, controllerCFG.EnableEndpointSlices, controllerCFG.DisableRestrictedSGRules)
 	backendSGProvider := networking.NewBackendSGProvider(controllerCFG.ClusterName, controllerCFG.BackendSecurityGroup,
 		cloud.VpcID(), cloud.EC2(), mgr.GetClient(), ctrl.Log.WithName("backend-sg-provider"))
 	ingGroupReconciler := ingress.NewGroupReconciler(cloud, mgr.GetClient(), mgr.GetEventRecorderFor("ingress"),
 
@@ -23,12 +23,14 @@ const (
 	flagEnableBackendSG                              = "enable-backend-security-group"
 	flagBackendSecurityGroup                         = "backend-security-group"
 	flagEnableEndpointSlices                         = "enable-endpoint-slices"
+	flagDisableRestrictedSGRules                     = "disable-restricted-sg-rules"
 	defaultLogLevel                                  = "info"
 	defaultMaxConcurrentReconciles                   = 3
 	defaultMaxExponentialBackoffDelay                = time.Second * 1000
 	defaultSSLPolicy                                 = "ELBSecurityPolicy-2016-08"
 	defaultEnableBackendSG                           = true
 	defaultEnableEndpointSlices                      = false
+	defaultDisableRestrictedSGRules                  = false
 )
 
 var (
@@ -84,6 +86,9 @@ type ControllerConfig struct {
 	// BackendSecurityGroups specifies the configured backend security group to use
 	// for optimized security group rules
 	BackendSecurityGroup string
+
+	// DisableRestrictedSGRules specifies whether to use restricted security group rules
+	DisableRestrictedSGRules bool
 }
 
 // BindFlags binds the command line flags to the fields in the config object
@@ -109,6 +114,9 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 		"Backend security group id to use for the ingress rules on the worker node SG")
 	fs.BoolVar(&cfg.EnableEndpointSlices, flagEnableEndpointSlices, defaultEnableEndpointSlices,
 		"Enable EndpointSlices for IP targets instead of Endpoints")
+	fs.BoolVar(&cfg.DisableRestrictedSGRules, flagDisableRestrictedSGRules, defaultDisableRestrictedSGRules,
+		"Disable the usage of restricted security group rules")
+
 	cfg.AWSConfig.BindFlags(fs)
 	cfg.RuntimeConfig.BindFlags(fs)
 
 
@@ -53,7 +53,7 @@ func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tg
 
 func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString, nodeSelector *metav1.LabelSelector) elbv2model.TargetGroupBindingResourceSpec {
 	targetType := elbv2api.TargetType(tg.Spec.TargetType)
-	tgbNetworking := t.buildTargetGroupBindingNetworking(ctx)
+	tgbNetworking := t.buildTargetGroupBindingNetworking(ctx, tg.Spec.Port, *tg.Spec.HealthCheckConfig.Port)
 	return elbv2model.TargetGroupBindingResourceSpec{
 		Template: elbv2model.TargetGroupBindingTemplate{
 			ObjectMeta: metav1.ObjectMeta{
@@ -74,29 +74,59 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
 	}
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context) *elbv2model.TargetGroupBindingNetworking {
+func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, targetGroupPort int64, healthCheckPort intstr.IntOrString) *elbv2model.TargetGroupBindingNetworking {
 	if t.backendSGIDToken == nil {
 		return nil
 	}
 	protocolTCP := elbv2api.NetworkingProtocolTCP
-	return &elbv2model.TargetGroupBindingNetworking{
-		Ingress: []elbv2model.NetworkingIngressRule{
-			{
-				From: []elbv2model.NetworkingPeer{
-					{
-						SecurityGroup: &elbv2model.SecurityGroup{
-							GroupID: t.backendSGIDToken,
+	if t.disableRestrictedSGRules {
+		return &elbv2model.TargetGroupBindingNetworking{
+			Ingress: []elbv2model.NetworkingIngressRule{
+				{
+					From: []elbv2model.NetworkingPeer{
+						{
+							SecurityGroup: &elbv2model.SecurityGroup{
+								GroupID: t.backendSGIDToken,
+							},
+						},
+					},
+					Ports: []elbv2api.NetworkingPort{
+						{
+							Protocol: &protocolTCP,
+							Port:     nil,
 						},
 					},
 				},
-				Ports: []elbv2api.NetworkingPort{
-					{
-						Protocol: &protocolTCP,
-						Port:     nil,
+			},
+		}
+	}
+	var networkingPorts []elbv2api.NetworkingPort
+	var networkingRules []elbv2model.NetworkingIngressRule
+	tgPort := intstr.FromInt(int(targetGroupPort))
+	networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
+		Protocol: &protocolTCP,
+		Port:     &tgPort,
+	})
+	if healthCheckPort.String() != healthCheckPortTrafficPort {
+		networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
+			Protocol: &protocolTCP,
+			Port:     &healthCheckPort,
+		})
+	}
+	for _, port := range networkingPorts {
+		networkingRules = append(networkingRules, elbv2model.NetworkingIngressRule{
+			From: []elbv2model.NetworkingPeer{
+				{
+					SecurityGroup: &elbv2model.SecurityGroup{
+						GroupID: t.backendSGIDToken,
 					},
 				},
 			},
-		},
+			Ports: []elbv2api.NetworkingPort{port},
+		})
+	}
+	return &elbv2model.TargetGroupBindingNetworking{
+		Ingress: networkingRules,
 	}
 }
 
 
@@ -40,29 +40,30 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 	authConfigBuilder AuthConfigBuilder, enhancedBackendBuilder EnhancedBackendBuilder,
 	trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager,
 	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string,
-	backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, logger logr.Logger) *defaultModelBuilder {
+	backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, disableRestrictedSGRules bool, logger logr.Logger) *defaultModelBuilder {
 	certDiscovery := NewACMCertDiscovery(acmClient, logger)
 	ruleOptimizer := NewDefaultRuleOptimizer(logger)
 	return &defaultModelBuilder{
-		k8sClient:              k8sClient,
-		eventRecorder:          eventRecorder,
-		ec2Client:              ec2Client,
-		vpcID:                  vpcID,
-		clusterName:            clusterName,
-		annotationParser:       annotationParser,
-		subnetsResolver:        subnetsResolver,
-		backendSGProvider:      backendSGProvider,
-		certDiscovery:          certDiscovery,
-		authConfigBuilder:      authConfigBuilder,
-		enhancedBackendBuilder: enhancedBackendBuilder,
-		ruleOptimizer:          ruleOptimizer,
-		trackingProvider:       trackingProvider,
-		elbv2TaggingManager:    elbv2TaggingManager,
-		defaultTags:            defaultTags,
-		externalManagedTags:    sets.NewString(externalManagedTags...),
-		defaultSSLPolicy:       defaultSSLPolicy,
-		enableBackendSG:        enableBackendSG,
-		logger:                 logger,
+		k8sClient:                k8sClient,
+		eventRecorder:            eventRecorder,
+		ec2Client:                ec2Client,
+		vpcID:                    vpcID,
+		clusterName:              clusterName,
+		annotationParser:         annotationParser,
+		subnetsResolver:          subnetsResolver,
+		backendSGProvider:        backendSGProvider,
+		certDiscovery:            certDiscovery,
+		authConfigBuilder:        authConfigBuilder,
+		enhancedBackendBuilder:   enhancedBackendBuilder,
+		ruleOptimizer:            ruleOptimizer,
+		trackingProvider:         trackingProvider,
+		elbv2TaggingManager:      elbv2TaggingManager,
+		defaultTags:              defaultTags,
+		externalManagedTags:      sets.NewString(externalManagedTags...),
+		defaultSSLPolicy:         defaultSSLPolicy,
+		enableBackendSG:          enableBackendSG,
+		disableRestrictedSGRules: disableRestrictedSGRules,
+		logger:                   logger,
 	}
 }
 
@@ -77,19 +78,20 @@ type defaultModelBuilder struct {
 	vpcID       string
 	clusterName string
 
-	annotationParser       annotations.Parser
-	subnetsResolver        networkingpkg.SubnetsResolver
-	backendSGProvider      networkingpkg.BackendSGProvider
-	certDiscovery          CertDiscovery
-	authConfigBuilder      AuthConfigBuilder
-	enhancedBackendBuilder EnhancedBackendBuilder
-	ruleOptimizer          RuleOptimizer
-	trackingProvider       tracking.Provider
-	elbv2TaggingManager    elbv2deploy.TaggingManager
-	defaultTags            map[string]string
-	externalManagedTags    sets.String
-	defaultSSLPolicy       string
-	enableBackendSG        bool
+	annotationParser         annotations.Parser
+	subnetsResolver          networkingpkg.SubnetsResolver
+	backendSGProvider        networkingpkg.BackendSGProvider
+	certDiscovery            CertDiscovery
+	authConfigBuilder        AuthConfigBuilder
+	enhancedBackendBuilder   EnhancedBackendBuilder
+	ruleOptimizer            RuleOptimizer
+	trackingProvider         tracking.Provider
+	elbv2TaggingManager      elbv2deploy.TaggingManager
+	defaultTags              map[string]string
+	externalManagedTags      sets.String
+	defaultSSLPolicy         string
+	enableBackendSG          bool
+	disableRestrictedSGRules bool
 
 	logger logr.Logger
 }
@@ -98,22 +100,23 @@ type defaultModelBuilder struct {
 func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.Stack, *elbv2model.LoadBalancer, error) {
 	stack := core.NewDefaultStack(core.StackID(ingGroup.ID))
 	task := &defaultModelBuildTask{
-		k8sClient:              b.k8sClient,
-		eventRecorder:          b.eventRecorder,
-		ec2Client:              b.ec2Client,
-		vpcID:                  b.vpcID,
-		clusterName:            b.clusterName,
-		annotationParser:       b.annotationParser,
-		subnetsResolver:        b.subnetsResolver,
-		certDiscovery:          b.certDiscovery,
-		authConfigBuilder:      b.authConfigBuilder,
-		enhancedBackendBuilder: b.enhancedBackendBuilder,
-		ruleOptimizer:          b.ruleOptimizer,
-		trackingProvider:       b.trackingProvider,
-		elbv2TaggingManager:    b.elbv2TaggingManager,
-		backendSGProvider:      b.backendSGProvider,
-		logger:                 b.logger,
-		enableBackendSG:        b.enableBackendSG,
+		k8sClient:                b.k8sClient,
+		eventRecorder:            b.eventRecorder,
+		ec2Client:                b.ec2Client,
+		vpcID:                    b.vpcID,
+		clusterName:              b.clusterName,
+		annotationParser:         b.annotationParser,
+		subnetsResolver:          b.subnetsResolver,
+		certDiscovery:            b.certDiscovery,
+		authConfigBuilder:        b.authConfigBuilder,
+		enhancedBackendBuilder:   b.enhancedBackendBuilder,
+		ruleOptimizer:            b.ruleOptimizer,
+		trackingProvider:         b.trackingProvider,
+		elbv2TaggingManager:      b.elbv2TaggingManager,
+		backendSGProvider:        b.backendSGProvider,
+		logger:                   b.logger,
+		enableBackendSG:          b.enableBackendSG,
+		disableRestrictedSGRules: b.disableRestrictedSGRules,
 
 		ingGroup: ingGroup,
 		stack:    stack,
@@ -163,11 +166,12 @@ type defaultModelBuildTask struct {
 	elbv2TaggingManager    elbv2deploy.TaggingManager
 	logger                 logr.Logger
 
-	ingGroup          Group
-	sslRedirectConfig *SSLRedirectConfig
-	stack             core.Stack
-	backendSGIDToken  core.StringToken
-	enableBackendSG   bool
+	ingGroup                 Group
+	sslRedirectConfig        *SSLRedirectConfig
+	stack                    core.Stack
+	backendSGIDToken         core.StringToken
+	enableBackendSG          bool
+	disableRestrictedSGRules bool
 
 	defaultTags                               map[string]string
 	externalManagedTags                       sets.String