Add support for optionally enforcing NLB security groups on PrivateLink

Author: wweiwei-li

controllers/service/service_controller.go

@@ -47,7 +47,7 @@ func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorde
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
 		elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
 		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
-		backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules)
+		backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger)
 	return &serviceReconciler{

docs/guide/service/annotations.md

@@ -50,6 +50,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-attributes](#load-balancer-attributes)             | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-security-groups](#security-groups)                 | stringList              |                           |                                                        | 
 | [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic](#update-security-settings)         | string                  |                           |                                                                                   
 
 ## Traffic Routing
 Traffic Routing can be controlled with following annotations:
@@ -488,6 +489,14 @@ Load balancer access can be controlled via following annotations:
         service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "false"
         ```
 
+- <a name="update-security-settings">`service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic`</a> specifies whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink. 
+
+    !!!example
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic: "off"
+        ```
+
+
 ## Legacy Cloud Provider
 The AWS Load Balancer Controller manages Kubernetes Services in a compatible way with the AWS cloud provider's legacy service controller.
 

pkg/annotations/constants.go

@@ -50,39 +50,40 @@ const (
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
-	SvcLBSuffixSourceRanges                  = "load-balancer-source-ranges"
-	SvcLBSuffixLoadBalancerType              = "aws-load-balancer-type"
-	SvcLBSuffixTargetType                    = "aws-load-balancer-nlb-target-type"
-	SvcLBSuffixLoadBalancerName              = "aws-load-balancer-name"
-	SvcLBSuffixScheme                        = "aws-load-balancer-scheme"
-	SvcLBSuffixInternal                      = "aws-load-balancer-internal"
-	SvcLBSuffixProxyProtocol                 = "aws-load-balancer-proxy-protocol"
-	SvcLBSuffixIPAddressType                 = "aws-load-balancer-ip-address-type"
-	SvcLBSuffixAccessLogEnabled              = "aws-load-balancer-access-log-enabled"
-	SvcLBSuffixAccessLogS3BucketName         = "aws-load-balancer-access-log-s3-bucket-name"
-	SvcLBSuffixAccessLogS3BucketPrefix       = "aws-load-balancer-access-log-s3-bucket-prefix"
-	SvcLBSuffixCrossZoneLoadBalancingEnabled = "aws-load-balancer-cross-zone-load-balancing-enabled"
-	SvcLBSuffixSSLCertificate                = "aws-load-balancer-ssl-cert"
-	SvcLBSuffixSSLPorts                      = "aws-load-balancer-ssl-ports"
-	SvcLBSuffixSSLNegotiationPolicy          = "aws-load-balancer-ssl-negotiation-policy"
-	SvcLBSuffixBEProtocol                    = "aws-load-balancer-backend-protocol"
-	SvcLBSuffixAdditionalTags                = "aws-load-balancer-additional-resource-tags"
-	SvcLBSuffixHCHealthyThreshold            = "aws-load-balancer-healthcheck-healthy-threshold"
-	SvcLBSuffixHCUnhealthyThreshold          = "aws-load-balancer-healthcheck-unhealthy-threshold"
-	SvcLBSuffixHCTimeout                     = "aws-load-balancer-healthcheck-timeout"
-	SvcLBSuffixHCInterval                    = "aws-load-balancer-healthcheck-interval"
-	SvcLBSuffixHCProtocol                    = "aws-load-balancer-healthcheck-protocol"
-	SvcLBSuffixHCPort                        = "aws-load-balancer-healthcheck-port"
-	SvcLBSuffixHCPath                        = "aws-load-balancer-healthcheck-path"
-	SvcLBSuffixHCSuccessCodes                = "aws-load-balancer-healthcheck-success-codes"
-	SvcLBSuffixTargetGroupAttributes         = "aws-load-balancer-target-group-attributes"
-	SvcLBSuffixSubnets                       = "aws-load-balancer-subnets"
-	SvcLBSuffixEIPAllocations                = "aws-load-balancer-eip-allocations"
-	SvcLBSuffixPrivateIpv4Addresses          = "aws-load-balancer-private-ipv4-addresses"
-	SvcLBSuffixIpv6Addresses                 = "aws-load-balancer-ipv6-addresses"
-	SvcLBSuffixALPNPolicy                    = "aws-load-balancer-alpn-policy"
-	SvcLBSuffixTargetNodeLabels              = "aws-load-balancer-target-node-labels"
-	SvcLBSuffixLoadBalancerAttributes        = "aws-load-balancer-attributes"
-	SvcLBSuffixLoadBalancerSecurityGroups    = "aws-load-balancer-security-groups"
-	SvcLBSuffixManageSGRules                 = "aws-load-balancer-manage-backend-security-group-rules"
+	SvcLBSuffixSourceRanges                              = "load-balancer-source-ranges"
+	SvcLBSuffixLoadBalancerType                          = "aws-load-balancer-type"
+	SvcLBSuffixTargetType                                = "aws-load-balancer-nlb-target-type"
+	SvcLBSuffixLoadBalancerName                          = "aws-load-balancer-name"
+	SvcLBSuffixScheme                                    = "aws-load-balancer-scheme"
+	SvcLBSuffixInternal                                  = "aws-load-balancer-internal"
+	SvcLBSuffixProxyProtocol                             = "aws-load-balancer-proxy-protocol"
+	SvcLBSuffixIPAddressType                             = "aws-load-balancer-ip-address-type"
+	SvcLBSuffixAccessLogEnabled                          = "aws-load-balancer-access-log-enabled"
+	SvcLBSuffixAccessLogS3BucketName                     = "aws-load-balancer-access-log-s3-bucket-name"
+	SvcLBSuffixAccessLogS3BucketPrefix                   = "aws-load-balancer-access-log-s3-bucket-prefix"
+	SvcLBSuffixCrossZoneLoadBalancingEnabled             = "aws-load-balancer-cross-zone-load-balancing-enabled"
+	SvcLBSuffixSSLCertificate                            = "aws-load-balancer-ssl-cert"
+	SvcLBSuffixSSLPorts                                  = "aws-load-balancer-ssl-ports"
+	SvcLBSuffixSSLNegotiationPolicy                      = "aws-load-balancer-ssl-negotiation-policy"
+	SvcLBSuffixBEProtocol                                = "aws-load-balancer-backend-protocol"
+	SvcLBSuffixAdditionalTags                            = "aws-load-balancer-additional-resource-tags"
+	SvcLBSuffixHCHealthyThreshold                        = "aws-load-balancer-healthcheck-healthy-threshold"
+	SvcLBSuffixHCUnhealthyThreshold                      = "aws-load-balancer-healthcheck-unhealthy-threshold"
+	SvcLBSuffixHCTimeout                                 = "aws-load-balancer-healthcheck-timeout"
+	SvcLBSuffixHCInterval                                = "aws-load-balancer-healthcheck-interval"
+	SvcLBSuffixHCProtocol                                = "aws-load-balancer-healthcheck-protocol"
+	SvcLBSuffixHCPort                                    = "aws-load-balancer-healthcheck-port"
+	SvcLBSuffixHCPath                                    = "aws-load-balancer-healthcheck-path"
+	SvcLBSuffixHCSuccessCodes                            = "aws-load-balancer-healthcheck-success-codes"
+	SvcLBSuffixTargetGroupAttributes                     = "aws-load-balancer-target-group-attributes"
+	SvcLBSuffixSubnets                                   = "aws-load-balancer-subnets"
+	SvcLBSuffixEIPAllocations                            = "aws-load-balancer-eip-allocations"
+	SvcLBSuffixPrivateIpv4Addresses                      = "aws-load-balancer-private-ipv4-addresses"
+	SvcLBSuffixIpv6Addresses                             = "aws-load-balancer-ipv6-addresses"
+	SvcLBSuffixALPNPolicy                                = "aws-load-balancer-alpn-policy"
+	SvcLBSuffixTargetNodeLabels                          = "aws-load-balancer-target-node-labels"
+	SvcLBSuffixLoadBalancerAttributes                    = "aws-load-balancer-attributes"
+	SvcLBSuffixLoadBalancerSecurityGroups                = "aws-load-balancer-security-groups"
+	SvcLBSuffixManageSGRules                             = "aws-load-balancer-manage-backend-security-group-rules"
+	SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic = "aws-load-balancer-inbound-sg-rules-on-private-link-traffic"
 )

pkg/deploy/elbv2/load_balancer_manager.go

@@ -3,6 +3,7 @@ package elbv2
 import (
 	"context"
 	"fmt"
+
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/go-logr/logr"
@@ -75,6 +76,12 @@ func (m *defaultLoadBalancerManager) Create(ctx context.Context, resLB *elbv2mod
 		return elbv2model.LoadBalancerStatus{}, err
 	}
 
+	if resLB.Spec.Type == elbv2model.LoadBalancerTypeNetwork && resLB.Spec.SecurityGroupsInboundRulesOnPrivateLink != nil {
+		if err := m.updateSDKLoadBalancerWithSecurityGroups(ctx, resLB, sdkLB); err != nil {
+			return elbv2model.LoadBalancerStatus{}, err
+		}
+	}
+
 	return buildResLoadBalancerStatus(sdkLB), nil
 }
 
@@ -186,20 +193,41 @@ func (m *defaultLoadBalancerManager) updateSDKLoadBalancerWithSecurityGroups(ctx
 	}
 	desiredSecurityGroups := sets.NewString(awssdk.StringValueSlice(securityGroups)...)
 	currentSecurityGroups := sets.NewString(awssdk.StringValueSlice(sdkLB.LoadBalancer.SecurityGroups)...)
-	if desiredSecurityGroups.Equal(currentSecurityGroups) {
+
+	isEnforceSGInboundRulesOnPrivateLinkUpdated, currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic, desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic := isEnforceSGInboundRulesOnPrivateLinkUpdated(resLB, sdkLB)
+	if desiredSecurityGroups.Equal(currentSecurityGroups) && !isEnforceSGInboundRulesOnPrivateLinkUpdated {
 		return nil
 	}
 
+	if !desiredSecurityGroups.Equal(currentSecurityGroups) {
+		changeSecurityGroupsDesc := fmt.Sprintf("%v => %v", currentSecurityGroups.List(), desiredSecurityGroups.List())
+		m.logger.Info("modifying loadBalancer security groups",
+			"stackID", resLB.Stack().StackID(),
+			"resourceID", resLB.ID(),
+			"arn", awssdk.StringValue(sdkLB.LoadBalancer.LoadBalancerArn),
+			"changeSecurityGroups", changeSecurityGroupsDesc)
+	}
+
 	req := &elbv2sdk.SetSecurityGroupsInput{
 		LoadBalancerArn: sdkLB.LoadBalancer.LoadBalancerArn,
 		SecurityGroups:  securityGroups,
 	}
-	changeDesc := fmt.Sprintf("%v => %v", currentSecurityGroups.List(), desiredSecurityGroups.List())
-	m.logger.Info("modifying loadBalancer securityGroups",
-		"stackID", resLB.Stack().StackID(),
-		"resourceID", resLB.ID(),
-		"arn", awssdk.StringValue(sdkLB.LoadBalancer.LoadBalancerArn),
-		"change", changeDesc)
+
+	if isEnforceSGInboundRulesOnPrivateLinkUpdated {
+		changeEnforceSecurityGroupInboundRulesOnPrivateLinkTrafficDesc := fmt.Sprintf("%v => %v", currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic, desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic)
+		m.logger.Info("modifying loadBalancer enforce security group inbound rules on privateLink traffic",
+			"stackID", resLB.Stack().StackID(),
+			"resourceID", resLB.ID(),
+			"arn", awssdk.StringValue(sdkLB.LoadBalancer.LoadBalancerArn),
+			"changeEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", changeEnforceSecurityGroupInboundRulesOnPrivateLinkTrafficDesc)
+
+		req = &elbv2sdk.SetSecurityGroupsInput{
+			LoadBalancerArn: sdkLB.LoadBalancer.LoadBalancerArn,
+			SecurityGroups:  securityGroups,
+			EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: awssdk.String(desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic),
+		}
+	}
+
 	if _, err := m.elbv2Client.SetSecurityGroupsWithContext(ctx, req); err != nil {
 		return err
 	}
@@ -298,3 +326,25 @@ func buildResLoadBalancerStatus(sdkLB LoadBalancerWithTags) elbv2model.LoadBalan
 		DNSName:         awssdk.StringValue(sdkLB.LoadBalancer.DNSName),
 	}
 }
+
+func isEnforceSGInboundRulesOnPrivateLinkUpdated(resLB *elbv2model.LoadBalancer, sdkLB LoadBalancerWithTags) (bool, string, string) {
+
+	if resLB.Spec.Type != elbv2model.LoadBalancerTypeNetwork || resLB.Spec.SecurityGroupsInboundRulesOnPrivateLink == nil {
+		return false, "", ""
+	}
+
+	desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic := string(*resLB.Spec.SecurityGroupsInboundRulesOnPrivateLink)
+
+	var currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic string
+
+	if sdkLB.LoadBalancer.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic != nil {
+		currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic = awssdk.StringValue(sdkLB.LoadBalancer.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic)
+	}
+
+	if desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic == currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic {
+		return false, "", ""
+	}
+
+	return true, currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic, desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic
+
+}

pkg/model/elbv2/load_balancer.go

@@ -2,6 +2,7 @@ package elbv2
 
 import (
 	"context"
+
 	"github.com/pkg/errors"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 )
@@ -86,6 +87,13 @@ const (
 	IPAddressTypeDualStack IPAddressType = "dualstack"
 )
 
+type SecurityGroupsInboundRulesOnPrivateLinkStatus string
+
+const (
+	SecurityGroupsInboundRulesOnPrivateLinkOn  SecurityGroupsInboundRulesOnPrivateLinkStatus = "on"
+	SecurityGroupsInboundRulesOnPrivateLinkOff SecurityGroupsInboundRulesOnPrivateLinkStatus = "off"
+)
+
 type LoadBalancerScheme string
 
 const (
@@ -143,6 +151,10 @@ type LoadBalancerSpec struct {
 	// +optional
 	SecurityGroups []core.StringToken `json:"securityGroups,omitempty"`
 
+	// [Network Load Balancers] The status of the security groups inbound rules on private link.
+	// +optional
+	SecurityGroupsInboundRulesOnPrivateLink *SecurityGroupsInboundRulesOnPrivateLinkStatus `json:"securityGroupsInboundRulesOnPrivateLink,omitempty"`
+
 	// [Application Load Balancers on Outposts] The ID of the customer-owned address pool (CoIP pool).
 	// +optional
 	CustomerOwnedIPv4Pool *string `json:"customerOwnedIPv4Pool,omitempty"`

pkg/service/model_build_load_balancer.go

@@ -77,6 +77,11 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, schem
 	if err != nil {
 		return elbv2model.LoadBalancerSpec{}, err
 	}
+	securityGroupsInboundRulesOnPrivateLink, err := t.buildSecurityGroupsInboundRulesOnPrivateLink(ctx)
+	if err != nil {
+		return elbv2model.LoadBalancerSpec{}, err
+	}
+
 	spec := elbv2model.LoadBalancerSpec{
 		Name:                   name,
 		Type:                   elbv2model.LoadBalancerTypeNetwork,
@@ -87,6 +92,22 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, schem
 		LoadBalancerAttributes: lbAttributes,
 		Tags:                   tags,
 	}
+
+	if securityGroupsInboundRulesOnPrivateLink != "" {
+		spec = elbv2model.LoadBalancerSpec{
+			Name:                                    name,
+			Type:                                    elbv2model.LoadBalancerTypeNetwork,
+			Scheme:                                  &scheme,
+			IPAddressType:                           &ipAddressType,
+			SecurityGroups:                          securityGroups,
+			SubnetMappings:                          subnetMappings,
+			LoadBalancerAttributes:                  lbAttributes,
+			Tags:                                    tags,
+			SecurityGroupsInboundRulesOnPrivateLink: &securityGroupsInboundRulesOnPrivateLink,
+		}
+
+	}
+
 	return spec, nil
 }
 
@@ -177,6 +198,22 @@ func (t *defaultModelBuildTask) buildLoadBalancerIPAddressType(_ context.Context
 	}
 }
 
+func (t *defaultModelBuildTask) buildSecurityGroupsInboundRulesOnPrivateLink(_ context.Context) (elbv2model.SecurityGroupsInboundRulesOnPrivateLinkStatus, error) {
+	var securityGroupsInboundRulesOnPrivateLink string
+	if exists := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic, &securityGroupsInboundRulesOnPrivateLink, t.service.Annotations); !exists {
+		return "", nil
+	}
+
+	switch securityGroupsInboundRulesOnPrivateLink {
+	case string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOn):
+		return elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOn, nil
+	case string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOff):
+		return elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOff, nil
+	default:
+		return "", errors.Errorf("Invalid value for securityGroupsInboundRulesOnPrivateLink status: %v, value must be one of [%v, %v]", securityGroupsInboundRulesOnPrivateLink, string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOn), string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOff))
+	}
+}
+
 func (t *defaultModelBuildTask) buildLoadBalancerScheme(ctx context.Context) (elbv2model.LoadBalancerScheme, error) {
 	scheme, explicitSchemeSpecified, err := t.buildLoadBalancerSchemeViaAnnotation(ctx)
 	if err != nil {

pkg/service/model_builder.go

@@ -6,6 +6,7 @@ import (
 	"sync"
 
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -40,7 +41,7 @@ func NewDefaultModelBuilder(annotationParser annotations.Parser, subnetsResolver
 	elbv2TaggingManager elbv2deploy.TaggingManager, ec2Client services.EC2, featureGates config.FeatureGates, clusterName string, defaultTags map[string]string,
 	externalManagedTags []string, defaultSSLPolicy string, defaultTargetType string, enableIPTargetType bool, serviceUtils ServiceUtils,
 	backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, enableBackendSG bool,
-	disableRestrictedSGRules bool) *defaultModelBuilder {
+	disableRestrictedSGRules bool, logger logr.Logger) *defaultModelBuilder {
 	return &defaultModelBuilder{
 		annotationParser:         annotationParser,
 		subnetsResolver:          subnetsResolver,
@@ -61,6 +62,7 @@ func NewDefaultModelBuilder(annotationParser annotations.Parser, subnetsResolver
 		ec2Client:                ec2Client,
 		enableBackendSG:          enableBackendSG,
 		disableRestrictedSGRules: disableRestrictedSGRules,
+		logger:                   logger,
 	}
 }
 
@@ -87,6 +89,7 @@ type defaultModelBuilder struct {
 	defaultSSLPolicy    string
 	defaultTargetType   elbv2model.TargetType
 	enableIPTargetType  bool
+	logger              logr.Logger
 }
 
 func (b *defaultModelBuilder) Build(ctx context.Context, service *corev1.Service) (core.Stack, *elbv2model.LoadBalancer, bool, error) {
@@ -107,6 +110,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, service *corev1.Service
 		ec2Client:                b.ec2Client,
 		enableBackendSG:          b.enableBackendSG,
 		disableRestrictedSGRules: b.disableRestrictedSGRules,
+		logger:                   b.logger,
 
 		service:   service,
 		stack:     stack,
@@ -162,6 +166,7 @@ type defaultModelBuildTask struct {
 	serviceUtils        ServiceUtils
 	enableIPTargetType  bool
 	ec2Client           services.EC2
+	logger              logr.Logger
 
 	service *corev1.Service