Add new featuregate to enable/disable SG management

[alikhanich]

Issue

We have a lot of services in k8s with type LoadBalancer, and for each of them controller was creating SG in AWS. We've reached the point when quota increase was denied from AWS support. So we decided to disable SG management for controller and switch to static rule which allows 30000-32767 port range to 0.0.0.0/0. Currently it can only be achieved by placing annotation on EACH service in k8s cluster, as our cluster is very big and there are a lot of different charts it is very hard for us. Hence here comes this PR.

#2358

Description

I have added new feature flag ManageSecurityGroups which is true by default for backwards compatibility, and in method buildManageSecurityGroupRulesFlag I preserved the ability to use annotations to disable SG management.
If you like this feature I will gladly write tests for it and will update the docs accordingly.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: djirik / name: Roman (224600d)

[k8s-ci-robot]

Welcome @djirik!

It looks like this is your first PR to kubernetes-sigs/aws-load-balancer-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-load-balancer-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @djirik. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: djirik
Once this PR has been reviewed and has the lgtm label, please assign m00nf1sh for approval by writing /assign @m00nf1sh in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alikhanich]

@kishorj @M00nF1sh Hi, any thoughts on this?

[johngmyers]

I'm planning on adding a securityGroups field to IngressClassParams. Would that solve your problem?

[alikhanich]

@johngmyers how would it work? and do you have ETA?

[johngmyers]

It would look like #2945 except for security groups instead of subnets.

I'm completely dependent on code reviews and approvals, so don't have an ETA. Security groups would be fourth on my list because I don't have a need to specify them myself. You could use my PR as a template.

[ngnix]

Hi @johngmyers !
I think it will be the best solution to add a securityGroups to the IngressClassParams.

[ngnix]

Maybe it's worth adding the ability to create a security group for each service with the LoadBalancer type? and add them only to those worker nodes on which the corresponding loads are located? The problem is that now it is very easy to run into two AWS limits:

• number of rules within one security group
• number of security groups per EC2 instance

This is a hard problem in AWS - as these limits are very small !

The problem described above concerns NLB, not ALB!

[ngnix]

The current solution proposed by @djirik will allow turning off the creation of rules by the operator, in this case, ports of 30000+ services are always allowed in the security group and new rules are not added to it, so we do not rest on the limits.
This is an alternative solution.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.