Skip to content

Add support for enabling AWS Shield Advanced protection #1126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2020
Merged

Add support for enabling AWS Shield Advanced protection #1126

merged 1 commit into from
Feb 7, 2020

Conversation

hhamalai
Copy link

@hhamalai hhamalai commented Jan 13, 2020
edited
Loading

When subscribed to AWS Shield Advanced service, the Shield protection must be turned on for each Application Load Balancer resource. While AWS offers automation to do this via services like Firewall Manager, their use cases are limited by their constraints (e.g., impossible to utilize rate-based WAF rules 1).

The proposed change adds an annotation for the ingress resource, which can is used to turn on the Shield Advanced protection for the load balancers created by aws-alb-ingress-controller.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 13, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @hhamalai!

It looks like this is your first PR to kubernetes-sigs/aws-alb-ingress-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-alb-ingress-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @hhamalai. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 13, 2020
@hhamalai hhamalai mentioned this pull request Jan 13, 2020
Closed
@alejandrox1
Copy link

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 13, 2020
@M00nF1sh
Copy link
Collaborator

M00nF1sh commented Jan 13, 2020
edited
Loading

Wow, thanks so much for contributing! looks really good :D
/ok-to-test

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2020
@hhamalai hhamalai force-pushed the shield_advanced branch 3 times, most recently from 7132f35 to f8857a9 Compare January 14, 2020 23:03
@hhamalai
Copy link
Author

/assign @bigkraig

mogren
mogren reviewed Jan 15, 2020
View reviewed changes
n1koo
n1koo reviewed Jan 20, 2020
View reviewed changes
n1koo
n1koo reviewed Jan 20, 2020
View reviewed changes
n1koo
n1koo reviewed Jan 20, 2020
View reviewed changes
@hhamalai hhamalai force-pushed the shield_advanced branch 3 times, most recently from cab3849 to aa16612 Compare January 20, 2020 19:41
@hhamalai
Copy link
Author

Hi, can @bigkraig give any feedback how to take this proposed change further? Should try to drag more review feedback or assign this into some person to review?

@M00nF1sh
Copy link
Collaborator

I'll test this out today

@M00nF1sh
Copy link
Collaborator

M00nF1sh commented Jan 27, 2020
edited
Loading

/lgtm
/approve
/hold

I'll approve this first sine it looks good at itself.
However, we need a few enhancements to this before cutting a new release(I can do it but feel free to ping me to take it if you got time)

  1. we needs to add caches to this API. (since the current code will call reconcile on every pod relocate event, and this will be called when the annotation is absent). Similar to https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/internal/alb/lb/waf.go

  2. we need to check the protection name matches managed by aws-alb-ingress-controller before disassociate it to avoid unintentionally removed shield which might be attached by 3rd party rules. (e.g. if name mismatch, leave it as it is).

  3. we need to add a feature Gate for this feature to allow Customer disable it. (since it need new IAM permissions and will fail the controller unless these permissions are added, some customers may don't want to add such permissions or even unable to do so).

  4. Personally, I'd prefer change the semantic to like blow, but would like to have some discussing.

    • alb.ingress.kubernetes.io/shield-advanced-protection: 'true', enable shield
    • alb.ingress.kubernetes.io/shield-advanced-protection: 'false', disabled shield(also check for managed by aws-alb-ingress-controlle too, if mismatch, issue an warning but keep the shield association)
    • no alb.ingress.kubernetes.io/shield-advanced-protection annotation, don't do any shield API calls. (however, we may still need to make shield API to delete shield association when deleting LoadBalancer, i don't have good idea about this yet)

    This way, it won't impose any impact to existing customers when we add new features.
    I always want to do similar things for annotations like alb.ingress.kubernetes.io/waf-acl-id, since currently we have no way to express "don't touch my WAF settings"

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 27, 2020
@M00nF1sh M00nF1sh added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2020
@hhamalai
Copy link
Author

Thanks for the great feedback, I'm happy to implement your suggestions and ping you once ready.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 29, 2020
@hhamalai hhamalai force-pushed the shield_advanced branch 2 times, most recently from 881226b to 73d2c42 Compare January 29, 2020 15:00
@hhamalai
Add support for enabling AWS Shield Advanced protection
34b43e6 
Shield Advanced improvements

- Add caching of AWS API requests
- Add feature gate
- When deleting protection, check protection name to match one indicating it was created by alb-ingress-controller alb-ingress-controller
- Changed annotation semantics of shield-advanced-protection to:
  - 'true': enables protection
  - 'false': disables protection created by alb-ingress-controller
  - missing annoation: immediately returns from reconcile skipping all
  Shield related API calls
@hhamalai
Copy link
Author

@M00nF1sh I've implemented & tested your proposed changes. Regarding the last one, it's now as you suggested, i.e. when the annotation is missing no Shield Advanced API calls are made. This means, as you noticed, that when annotation is absent, when it previously was present with shield protection enabled, the protection is left present.

Other than leaving it as is, one option would be to go through the current protections in the cache (no API calls made before and will be made if the cache is empty). If there are cache items, then these would be tried to remove. Few issues with this:

  1. Cache expiration creates a requirement for another kind of cache
  2. The cache usage to track protections creates persistence, if alb-ingress-controller pod is destroyed the cache is lost that the protections are left active as orphans.

@hhamalai
Copy link
Author

hhamalai commented Feb 6, 2020

@M00nF1sh Any comments on the suggested changes / how to push this forward?

M00nF1sh
M00nF1sh reviewed Feb 7, 2020
View reviewed changes
Copy link
Collaborator

@M00nF1sh M00nF1sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hhamalai, M00nF1sh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@M00nF1sh
Copy link
Collaborator

M00nF1sh commented Feb 7, 2020

@M00nF1sh Any comments on the suggested changes / how to push this forward?

Thanks for making these changes, i think it's good enough to merge for now.
For the annotation remove issue, i think we should train Cx to explicitly disable shield instead of remove annotations, maybe via docs.

@M00nF1sh M00nF1sh removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 7, 2020
@k8s-ci-robot k8s-ci-robot merged commit fe2bdcf into kubernetes-sigs:master Feb 7, 2020
@Vlaaaaaaad Vlaaaaaaad mentioned this pull request Apr 5, 2020
Merged
5 tasks
@geofflancaster
Copy link

Does this work for NLBs as well?

@hhamalai
Copy link
Author

hhamalai commented Oct 3, 2020

Does this work for NLBs as well?

@geofflancaster , aws-alb-ingress-controller project is about ALBs, not NLBs. If you need NLBs with Shield Advanced enabled, you can use Elastic IPs, enable Shield Advanced protection on those IPs, and associate the IPs with your NLB.

@christopher-wong
Copy link

Now that the load balancer controller supports NLBs, is there an NLB annotation to enable Shield Advanced?

@hhamalai
Copy link
Author

Now that the load balancer controller supports NLBs, is there an NLB annotation to enable Shield Advanced?

AFAIK Shield Advanced cannot be enabled directly on NLB, but for Elastic IPs attached to NLB instance with
service.beta.kubernetes.io/aws-load-balancer-eip-allocations annotation. These EIPs are not allocated by load balancer controller at the moment, so assigning shield protections to these EIPs should likely also be externally managed.

@abebars
Copy link

abebars commented Aug 2, 2023
edited
Loading

@hhamalai Since the Controller allows you to pass these EIPs as an optional parameter, Can we have service.beta.kubernetes.io/aws-load-balancer-eip-allocations as a prerequisite to service.beta.kubernetes.io/shield-advanced-protection: 'true' and in that case we can make the correlation between the resources?

alebedev87 pushed a commit to alebedev87/aws-load-balancer-controller that referenced this pull request Oct 26, 2023
@k8s-ci-robot
Merge pull request kubernetes-sigs#1126 from hhamalai/shield_advanced
92e079d 
Add support for enabling AWS Shield Advanced protection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mogren mogren mogren left review comments

@n1koo n1koo n1koo left review comments

@M00nF1sh M00nF1sh M00nF1sh left review comments

@alejandrox1 alejandrox1 Awaiting requested review from alejandrox1

@bigkraig bigkraig Awaiting requested review from bigkraig

Assignees

@bigkraig bigkraig

@M00nF1sh M00nF1sh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@hhamalai @k8s-ci-robot @alejandrox1 @M00nF1sh @geofflancaster @christopher-wong @abebars @mogren @n1koo @bigkraig