Add securityGroups field to IngressClassParams

Author: johngmyers

apis/elbv2/v1beta1/ingressclassparams_types.go

@@ -41,6 +41,39 @@ const (
 	LoadBalancerSchemeInternetFacing LoadBalancerScheme = "internet-facing"
 )
 
+// SecurityGroupID specifies a security group ID.
+// +kubebuilder:validation:Pattern=sg-[0-9a-f]+
+type SecurityGroupID string
+
+// SecurityGroupSelector selects one or more existing security groups.
+type SecurityGroupSelector struct {
+	// IDs specify the resource IDs of security groups.
+	// Exactly one of this, `managedInbound`, or `tags` must be specified.
+	// +kubebuilder:validation:MinItems=1
+	// +optional
+	IDs []SecurityGroupID `json:"ids,omitempty"`
+
+	// ManagedBackend specifies that the controller will create and include a security group for
+	// traffic between the load balancer and its targets.
+	// If `managedInbound` is `true`, defaults to the value of the controller's
+	// `--enable-backend-security-group` flag. Otherwise, defaults to `false`.
+	// +optional
+	ManagedBackend *bool `json:"managedBackend,omitempty"`
+
+	// ManagedInbound specifies that the controller will create a security group allowing traffic from
+	// `inboundCIDRs` to the `listen-ports`.
+	// Exactly one of this, `ids`, or `tags` must be specified.
+	// +optional
+	ManagedInbound bool `json:"managedInbound,omitempty"`
+
+	// Tags specifies security groups in the load balancer's VPC where each
+	// tag specified in the map key contains one of the values in the corresponding
+	// value list.
+	// Exactly one of this, `ids`, or `managedInbound` must be specified.
+	// +optional
+	Tags map[string][]string `json:"tags,omitempty"`
+}
+
 // SubnetID specifies a subnet ID.
 // +kubebuilder:validation:Pattern=subnet-[0-9a-f]+
 type SubnetID string
@@ -100,9 +133,14 @@ type IngressClassParamsSpec struct {
 	Scheme *LoadBalancerScheme `json:"scheme,omitempty"`
 
 	// InboundCIDRs specifies the CIDRs that are allowed to access the Ingresses that belong to IngressClass with this IngressClassParams.
+	// If this and `securityGroups` are both specified, `securityGroups.managed` must be `true`.
 	// +optional
 	InboundCIDRs []string `json:"inboundCIDRs,omitempty"`
 
+	// SecurityGroups defines the security groups to attach to all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	SecurityGroups *SecurityGroupSelector `json:"securityGroups,omitempty"`
+
 	// SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.
 	// +optional
 	SSLPolicy string `json:"sslPolicy,omitEmpty"`

apis/elbv2/v1beta1/zz_generated.deepcopy.go

@@ -64,6 +64,8 @@ spec:
               inboundCIDRs:
                 description: InboundCIDRs specifies the CIDRs that are allowed to
                   access the Ingresses that belong to IngressClass with this IngressClassParams.
+                  If this and `securityGroups` are both specified, `securityGroups.managed`
+                  must be `true`.
                 items:
                   type: string
                 type: array
@@ -146,6 +148,43 @@ spec:
                 - internal
                 - internet-facing
                 type: string
+              securityGroups:
+                description: SecurityGroups defines the security groups to attach
+                  to all Ingresses that belong to IngressClass with this IngressClassParams.
+                properties:
+                  ids:
+                    description: IDs specify the resource IDs of security groups.
+                      Exactly one of this, `managedInbound`, or `tags` must be specified.
+                    items:
+                      description: SecurityGroupID specifies a security group ID.
+                      pattern: sg-[0-9a-f]+
+                      type: string
+                    minItems: 1
+                    type: array
+                  managedBackend:
+                    description: ManagedBackend specifies that the controller will
+                      create and include a security group for traffic between the
+                      load balancer and its targets. If `managedInbound` is `true`,
+                      defaults to the value of the controller's `--enable-backend-security-group`
+                      flag. Otherwise, defaults to `false`.
+                    type: boolean
+                  managedInbound:
+                    description: ManagedInbound specifies that the controller will
+                      create a security group allowing traffic from `inboundCIDRs`
+                      to the `listen-ports`. Exactly one of this, `ids`, or `tags`
+                      must be specified.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: Tags specifies security groups in the load balancer's
+                      VPC where each tag specified in the map key contains one of
+                      the values in the corresponding value list. Exactly one of this,
+                      `ids`, or `managedInbound` must be specified.
+                    type: object
+                type: object
               sslPolicy:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.

config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml

@@ -140,6 +140,38 @@ Cluster administrators can use the `scheme` field to restrict the scheme for all
 Cluster administrators can use the optional `inboundCIDRs` field to specify the CIDRs that are allowed to access the load balancers that belong to this IngressClass.
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/inbound-cidrs` annotation.
 
+#### spec.securityGroups
+
+Cluster administrators can use the optional `securityGroups` field to specify the security groups for the load balancers that belong to this IngressClass.
+If the field is specified, they must specify one of `ids`, `managedInbound`, or `tags`.
+If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/security-groups` 
+and `alb.ingress.kubernetes.io/manage-backend-security-group-rules` annotations.
+
+##### spec.securityGroups.ids
+
+If `ids` is specified, it must be a set of at least one resource ID of a security group in the VPC.
+
+##### spec.securityGroups.managedInbound
+
+If `managedInbound` is `true`, LBC will create a security group allowing traffic from `spec.inboundCIDRs` to the `listen-ports`.
+
+##### spec.securityGroups.managedBackend
+
+If `managedBackend` is `true`, LBC will create and include a security group for traffic between the load balancer and its targets.
+
+If `managedInbound` is `true`, defaults to the value of the controller's `--enable-backend-security-group` flag. Otherwise, defaults to `false`.
+
+##### spec.securityGroups.tags
+
+If `tags` is specified, it is a map of tag filters. The filters will match security groups in the VPC for which
+each listed tag key is present and has one of the corresponding tag values.
+
+Security groups with the cluster tag for another cluster and which do not have a cluster tag 
+for this cluster will be excluded.
+
+If any matching security group has a cluster tag for this cluster, then security groups without
+a cluster tag will be excluded.
+
 #### spec.sslPolicy
 
 Cluster administrators can use the optional `sslPolicy` field to specify the SSL policy for the load balancers that belong to this IngressClass.
@@ -148,7 +180,8 @@ If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/ssl-po
 #### spec.subnets
 
 Cluster administrators can use the optional `subnets` field to specify the subnets for the load balancers that belong to this IngressClass.
-They may specify either `ids` or `tags`. If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/subnets annotation` annotation.
+If the field is specified, they must specify either `ids` or `tags`.
+If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/subnets` annotation.
 
 ##### spec.subnets.ids
 
@@ -159,7 +192,8 @@ If `ids` is specified, it must be a set of at least one resource ID of a subnet
 If `tags` is specified, it is a map of tag filters. The filters will match subnets in the VPC for which
 each listed tag key is present and has one of the corresponding tag values.
 
-Unless the `SubnetsClusterTagCheck` feature gate is disabled, subnets without a cluster tag and with the cluster tag for another cluster will be excluded.
+Unless the `SubnetsClusterTagCheck` feature gate is disabled, subnets with the cluster tag for another
+cluster and which do not have a cluster tag for this cluster will be excluded.
 
 Within any given availability zone, subnets with a cluster tag will be chosen over subnets without, then the subnet with the lowest-sorting resource ID will be chosen.
 

docs/guide/ingress/ingress_class.md

@@ -63,6 +63,8 @@ spec:
               inboundCIDRs:
                 description: InboundCIDRs specifies the CIDRs that are allowed to
                   access the Ingresses that belong to IngressClass with this IngressClassParams.
+                  If this and `securityGroups` are both specified, `securityGroups.managed`
+                  must be `true`.
                 items:
                   type: string
                 type: array
@@ -145,6 +147,43 @@ spec:
                 - internal
                 - internet-facing
                 type: string
+              securityGroups:
+                description: SecurityGroups defines the security groups to attach
+                  to all Ingresses that belong to IngressClass with this IngressClassParams.
+                properties:
+                  ids:
+                    description: IDs specify the resource IDs of security groups.
+                      Exactly one of this, `managedInbound`, or `tags` must be specified.
+                    items:
+                      description: SecurityGroupID specifies a security group ID.
+                      pattern: sg-[0-9a-f]+
+                      type: string
+                    minItems: 1
+                    type: array
+                  managedBackend:
+                    description: ManagedBackend specifies that the controller will
+                      create and include a security group for traffic between the
+                      load balancer and its targets. If `managedInbound` is `true`,
+                      defaults to the value of the controller's `--enable-backend-security-group`
+                      flag. Otherwise, defaults to `false`.
+                    type: boolean
+                  managedInbound:
+                    description: ManagedInbound specifies that the controller will
+                      create a security group allowing traffic from `inboundCIDRs`
+                      to the `listen-ports`. Exactly one of this, `ids`, or `tags`
+                      must be specified.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: Tags specifies security groups in the load balancer's
+                      VPC where each tag specified in the map key contains one of
+                      the values in the corresponding value list. Exactly one of this,
+                      `ids`, or `managedInbound` must be specified.
+                    type: object
+                type: object
               sslPolicy:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.