Add support for optionally enforcing NLB security groups on PrivateLi…

[wweiwei-li]

…nk traffic

Issue

#3386

Description

This is a feature to support optionally enforce NLB security groups on PrivateLink traffic. For the change, added a new annotation aws-load-balancer-inbound-sg-rules-on-private-link-traffic to configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink. The value of it can be set to "off" and "on". After creating new NLB, will check if the annotation is specified. If yes, will call updateSDKLoadBalancerWithSecurityGroups, where added the logic to check if we need to call setSecurityGroup to update EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: wweiwei-li (bfff95f)

[k8s-ci-robot]

Welcome @wweiwei-li!

It looks like this is your first PR to kubernetes-sigs/aws-load-balancer-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-load-balancer-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @wweiwei-li. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[shraddhabang]

We should modify this error message to give them suggestion to use the allowed values as well. Something like errors.Errorf("Invalid value for securityGroupsInboundRulesOnPrivateLink status: %v, value must be one of [%v, %v]", securityGroupsInboundRulesOnPrivateLink), string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOn), string(elbv2model.SecurityGroupsInboundRulesOnPrivateLinkOff)

[dims]

/check-cla
/easycla

[shraddhabang]

/ok-to-test

[oliviassss]

should we move these to pkg/model/ec2/security_group.go instead?

[wweiwei-li]

Yes, it is okay to move these to pkg/model/ec2/security_group.go. One concern is this field is actually a load balancer field, even though it is related to security groups

[oliviassss]

why need to convert it to string? can we just check if it's nil or not? Same for all the string() != "" below

[wweiwei-li]

As you suggested if user does not specify the annotation, we will skip adding it as a spec. In this case, we will no longer have resLB.Spec.SecurityGroupsInboundRulesOnPrivateLink = "", so we can just check if it is nil.

[oliviassss]

why need a default value for currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic? let's say, if the resLB.Spec.SecurityGroupsInboundRulesOnPrivateLink is on, and there's no such setting on sdkLB, so the currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic defaults to on, we ignore this situation?

[wweiwei-li]

Good catch. I was thinking it was "on" by default, but it is not. I will the set currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic based on sdkLB as below.

	var currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic string
	if sdkLB.LoadBalancer.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic != nil {
		currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic = awssdk.StringValue(sdkLB.LoadBalancer.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic)
		}

[oliviassss]

maybe just a var securityGroupsInboundRulesOnPrivateLink string

[wweiwei-li]

Sure, we can just use var securityGroupsInboundRulesOnPrivateLink string

[oliviassss]

if user does not specify the annotation, can we just skip adding it as a spec in the LB? it's a bit strange to have "securityGroupsInboundRulesOnPrivateLink":"".
And I think we should have the default value to "off", for backward compatibility.

[wweiwei-li]

Good point, I agree if user does not specify the annotation, we should just skip adding it as a spec in the LB.

[shraddhabang]

Just note : Default value for this is "On".

[oliviassss]

we need unit tests added for the cases: 1)annotation setting to "on",
2)annotation setting to "off"
3)no annotation at all.

[wweiwei-li]

I added some code in pkg/service/model_builder_test.go. When the annotation is set to "on", the build model will have "securityGroupsInboundRulesOnPrivateLink":"on". If the annotation is set to "off", the build model will have "securityGroupsInboundRulesOnPrivateLink":"off". If there is no annotation, "securityGroupsInboundRulesOnPrivateLink" will not be included. Is this sufficient?

[oliviassss]

it will be confusing that it says only accept "on" and "off", but it actually allows an empty string "".

[wweiwei-li]

It won't allow empty string "". An empty string will also fall into the condition of an invalid value.

[oliviassss]

@wweiwei-li, thanks for the contribution. I left some comments.

The value of it can be set to "off" and "on". It is optional and if it is default to "on"

For backward compatibility, I think we shouldn't have "on" as default.
If the user doesn't specify the annotation, we skip adding any spec to their NLBs, nothing changed; if the annotation exists, we validate the value and add the spec accordingly.

[shraddhabang]

/lgtm
/approve

[oliviassss]

/lgtm
/assign @M00nF1sh

[M00nF1sh]

should this be something like

aws-load-balancer-enforce-sg-inbound-rules-on-pl-traffic

or

aws-load-balancer-enforce-sg-inbound-rules-on-private-link-traffic

[wweiwei-li]

Good point, I like aws-load-balancer-enforce-sg-inbound-rules-on-private-link-traffic but annotation must be 63 characters or less, so we decided to use aws-load-balancer-inbound-sg-rules-on-private-link-traffic

[M00nF1sh]

is this EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic can only be set with this SetSecurityGroups call after LB creation?

[wweiwei-li]

Yes, we can only set it after LB creation

[M00nF1sh]

let's add a method that checks whether SGInboundRulesOnPrivateLink shall be enforced
something like

isEnforceSGInboundRulesOnPrivateLinkUpdated(sdkLB, resLB) {
   ...checks sdkLB.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic & resLB.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic
}

then if desiredSecurityGroups.Equal(currentSecurityGroups) && !isEnforceSGInboundRulesOnPrivateLinkUpdated(...) { return nil}

and later, simple set req. EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic based on resLB.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic

[wweiwei-li]

Wrap up all checks into isEnforceSGInboundRulesOnPrivateLinkUpdated(sdkLB, resLB) method is a great idea. I made change based on your suggestion. To be able to use current and desired value in logs, I also return currentEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic, desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic value. Please let me know if it looks good to you.

[M00nF1sh]

i'd prefer to use below:

if securityGroupsInboundRulesOnPrivateLink != ""  {
   spec.SecurityGroupsInboundRulesOnPrivateLink = &securityGroupsInboundRulesOnPrivateLink
}

[wweiwei-li]

Yes, good point, will update

[M00nF1sh]

can we change the return value to be *elbv2model.SecurityGroupsInboundRulesOnPrivateLinkStatus, error
thus we can return nil instead of "" to represent "not set".
The reason why this is better is technically "" is not a valid value for SecurityGroupsInboundRulesOnPrivateLinkStatus enum.

[M00nF1sh]

1. Nit, since there is only one change call technically, i'd prefer to use a single log call
   var changeDescriptions []string
   if !desiredSecurityGroups.Equal(currentSecurityGroups) {
   changeDescriptions = append(changeDescriptions, "changeSecurityGroups", changeSecurityGroupsDesc)
   }
   req := &elbv2sdk.SetSecurityGroupsInput{
   LoadBalancerArn: sdkLB.LoadBalancer.LoadBalancerArn,
   SecurityGroups: securityGroups,
   }

if ! isEnforceSGInboundRulesOnPrivateLinkUpdated {
changeDescriptions = append(changeDescriptions, "changeEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", changeEnforceSecurityGroupInboundRulesOnPrivateLinkTrafficDesc)
req.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: awssdk.String(desiredEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic),
}
m.logger.Info("modifying loadBalancer security group settings",
"stackID", resLB.Stack().StackID(),
"resourceID", resLB.ID(),
"arn", awssdk.StringValue(sdkLB.LoadBalancer.LoadBalancerArn),
...changeDescriptions)
2. per the current log, req.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic is only set when there is a change. So if the security group changed but isEnforceSGInboundRulesOnPrivateLinkUpdated is false, then req.EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic will be nil, what's the API behavior under such case, will it untouch the existing EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic settings on LB or reset it to default value(something we don't want).

[wweiwei-li]

1. Yes, we can switch to use a single log call.

[wweiwei-li]

2. Good question, it will untouch the existing EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic settings

[M00nF1sh]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, shraddhabang, wweiwei-li

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [M00nF1sh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vumdao]

Hi, can we know when this ticket is released?

[elaineclsouza]

Any predictions on when this will be published in the release?

[VanessaDiniz]

I'm also waiting

[william-araujo-dock]

When will you implement this feature?

[wweiwei-li]

Hey, This feature will be released in V2.8.0 targeting the end of this week.