Controller cfg for backend sg rule management

controllers/ingress/group_controller.go

@@ -61,7 +61,8 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager, controllerConfig.FeatureGates,
 		cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
 		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, backendSGProvider, sgResolver,
-		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
+		controllerConfig.EnableBackendSecurityGroup, controllerConfig.ManageBackendSGRules, controllerConfig.DisableRestrictedSGRules,
+		controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
 		controllerConfig, ingressTagPrefix, logger)

controllers/service/service_controller.go

@@ -44,7 +44,9 @@ func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorde
 	elbv2TaggingManager := elbv2.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, cloud.RGT(), logger)
 	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
-		elbv2TaggingManager, controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags, controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils)
+		elbv2TaggingManager, controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
+		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType),
+		controllerConfig.ManageBackendSGRules, serviceUtils)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, controllerConfig, serviceTagPrefix, logger)
 	return &serviceReconciler{

docs/deploy/configurations.md

@@ -80,6 +80,7 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |[disable-ingress-group-name-annotation](#disable-ingress-group-name-annotation)  | boolean                         | false           | Disallow new use of the `alb.ingress.kubernetes.io/group.name` annotation |
 |disable-restricted-sg-rules            | boolean                         | false            | Disable the usage of restricted security group rules |
 |enable-backend-security-group          | boolean                         | true            | Enable sharing of security groups for backend traffic |
+|manage-backend-sg-rules                | boolean                         | true            | Enables controller to manage backend SG rules. If `false` controller won't manage the rules, if `true` controller will manage if the annotations on ingress/service don't disable managing. Defaults to `true` |
 |enable-endpoint-slices                 | boolean                         | false           | Use EndpointSlices instead of Endpoints for pod endpoint and TargetGroupBinding resolution for load balancers with IP targets. |
 |enable-leader-election                 | boolean                         | true            | Enable leader election for the load balancer controller manager. Enabling this will ensure there is only one active controller manager |
 |enable-pod-readiness-gate-inject       | boolean                         | true            | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods |

pkg/config/controller_config.go

@@ -23,6 +23,7 @@ const (
 	flagTargetGroupBindingMaxExponentialBackoffDelay = "targetgroupbinding-max-exponential-backoff-delay"
 	flagDefaultSSLPolicy                             = "default-ssl-policy"
 	flagEnableBackendSG                              = "enable-backend-security-group"
+	flagManageBackendSGRules                         = "manage-backend-sg-rules"
 	flagBackendSecurityGroup                         = "backend-security-group"
 	flagEnableEndpointSlices                         = "enable-endpoint-slices"
 	flagDisableRestrictedSGRules                     = "disable-restricted-sg-rules"
@@ -31,6 +32,7 @@ const (
 	defaultMaxExponentialBackoffDelay                = time.Second * 1000
 	defaultSSLPolicy                                 = "ELBSecurityPolicy-2016-08"
 	defaultEnableBackendSG                           = true
+	defaultManageBackendSGRules                      = true
 	defaultEnableEndpointSlices                      = false
 	defaultDisableRestrictedSGRules                  = false
 )
@@ -91,6 +93,9 @@ type ControllerConfig struct {
 	// EnableBackendSecurityGroup specifies whether to use optimized security group rules
 	EnableBackendSecurityGroup bool
 
+	// ManageBackendSGRules specifies whether to manage backend security group rules
+	ManageBackendSGRules bool
+
 	// BackendSecurityGroups specifies the configured backend security group to use
 	// for optimized security group rules
 	BackendSecurityGroup string
@@ -122,6 +127,8 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 		"Default SSL policy for load balancers listeners")
 	fs.BoolVar(&cfg.EnableBackendSecurityGroup, flagEnableBackendSG, defaultEnableBackendSG,
 		"Enable sharing of security groups for backend traffic")
+	fs.BoolVar(&cfg.ManageBackendSGRules, flagManageBackendSGRules, defaultManageBackendSGRules,
+		"Enable management of backend security group rules")
 	fs.StringVar(&cfg.BackendSecurityGroup, flagBackendSecurityGroup, "",
 		"Backend security group id to use for the ingress rules on the worker node SG")
 	fs.BoolVar(&cfg.EnableEndpointSlices, flagEnableEndpointSlices, defaultEnableEndpointSlices,

pkg/ingress/model_build_load_balancer.go

@@ -280,18 +280,20 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont
 			return nil, err
 		}
 		lbSGTokens = append(lbSGTokens, managedSG.GroupID())
-		if !t.enableBackendSG {
-			t.backendSGIDToken = managedSG.GroupID()
-		} else {
+		backendSGIDToken := managedSG.GroupID()
+		if t.enableBackendSG {
 			backendSGID, err := t.backendSGProvider.Get(ctx, networking.ResourceTypeIngress, k8s.ToSliceOfNamespacedNames(t.ingGroup.Members))
 			if err != nil {
 				return nil, err
 			}
-			t.backendSGIDToken = core.LiteralStringToken((backendSGID))
 			t.backendSGAllocated = true
-			lbSGTokens = append(lbSGTokens, t.backendSGIDToken)
+			backendSGIDToken = core.LiteralStringToken((backendSGID))
+			lbSGTokens = append(lbSGTokens, backendSGIDToken)
+		}
+		if t.manageBackendSGRules {
+			t.backendSGIDToken = backendSGIDToken
 		}
-		t.logger.Info("Auto Create SG", "LB SGs", lbSGTokens, "backend SG", t.backendSGIDToken)
+		t.logger.Info("Auto Create SG", "LB SGs", lbSGTokens, "backend SG", backendSGIDToken)
 	} else {
 		manageBackendSGRules, err := t.buildManageSecurityGroupRulesFlag(ctx)
 		if err != nil {

pkg/ingress/model_builder.go

@@ -43,7 +43,7 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 	trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager, featureGates config.FeatureGates,
 	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string, defaultTargetType string,
 	backendSGProvider networkingpkg.BackendSGProvider, sgResolver networkingpkg.SecurityGroupResolver,
-	enableBackendSG bool, disableRestrictedSGRules bool, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
+	enableBackendSG bool, manageBackendSGRules bool, disableRestrictedSGRules bool, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
 	certDiscovery := NewACMCertDiscovery(acmClient, logger)
 	ruleOptimizer := NewDefaultRuleOptimizer(logger)
 	return &defaultModelBuilder{
@@ -68,6 +68,7 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 		defaultSSLPolicy:         defaultSSLPolicy,
 		defaultTargetType:        elbv2model.TargetType(defaultTargetType),
 		enableBackendSG:          enableBackendSG,
+		manageBackendSGRules:     manageBackendSGRules,
 		disableRestrictedSGRules: disableRestrictedSGRules,
 		enableIPTargetType:       enableIPTargetType,
 		logger:                   logger,
@@ -101,6 +102,7 @@ type defaultModelBuilder struct {
 	defaultSSLPolicy         string
 	defaultTargetType        elbv2model.TargetType
 	enableBackendSG          bool
+	manageBackendSGRules     bool
 	disableRestrictedSGRules bool
 	enableIPTargetType       bool
 
@@ -129,6 +131,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.S
 		sgResolver:               b.sgResolver,
 		logger:                   b.logger,
 		enableBackendSG:          b.enableBackendSG,
+		manageBackendSGRules:     b.manageBackendSGRules,
 		disableRestrictedSGRules: b.disableRestrictedSGRules,
 		enableIPTargetType:       b.enableIPTargetType,
 
@@ -188,6 +191,7 @@ type defaultModelBuildTask struct {
 	backendSGIDToken         core.StringToken
 	backendSGAllocated       bool
 	enableBackendSG          bool
+	manageBackendSGRules     bool
 	disableRestrictedSGRules bool
 	enableIPTargetType       bool
 
@@ -407,6 +411,10 @@ func (t *defaultModelBuildTask) getDeletionProtectionViaAnnotation(ing *networki
 }
 
 func (t *defaultModelBuildTask) buildManageSecurityGroupRulesFlag(_ context.Context) (bool, error) {
+	// don't manage if manageBackendSGRules is false, else prefer the annotation value
+	if !t.manageBackendSGRules {
+		return false, nil
+	}
 	explicitManageSGRulesFlag := make(map[bool]struct{})
 	manageSGRules := false
 	for _, member := range t.ingGroup.Members {