Skip to content

Add support for shared subnets #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 10, 2019
Merged

Add support for shared subnets #904

merged 1 commit into from
Apr 10, 2019

Conversation

rifelpet
Copy link
Contributor

This allows the aws-alb-ingress-controller to create ALBs in subnets that are shared across accounts via AWS Resource Access Manager. See #901 for more details.

This currently requires that security groups be defined in the ingress annotation. I couldn't figure out an easy way to get the desired security group ID from the security group AssociationController into newLBInstance, so I'm settling for the annotation requirement for now.

Closes #901
Closes #865

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 28, 2019
@rifelpet
Copy link
Contributor Author

/test pull-aws-alb-ingress-controller-unit-test

@M00nF1sh
Copy link
Collaborator

M00nF1sh commented Mar 29, 2019
edited
Loading

Thanks for making this change :D. I'll take the time to fix the unit test issues(seems coverall is down).

I have make changes around securityGroup handling in my ingress group implementation, which will make managed LB securityGroup work as well(not ready to release out yet).

BTW,
Another change I did is removing the need for auto-generate node securityGroups. Instead, I directly adding an rule to existing node securityGroup that allow ingress traffic from LB securityGroup(similar to what we did for CLB/NLB).
This offers some benefits:

  1. do not need to deal with attach/detach node securityGroup from ENIs based on pod IPs.
  2. solves Deregistration delay doesn't seem to have any effect, since the security group is detached too early from the ENI #824 and Only 5 SGs per ENI allowed #682 without extra work.
  3. supports IP modes for kubenet without extra work.

It do have some "drawbacks" from the current solution(create an separate node sg per ALB, and attach/detach from ENIs as needed). But I don't consider it as less secure since ALB should be inside trust boundary. Also, securityGroup can only be attached to ENI instead of pod IP, there is no fundamental difference from just attach it to all ENIs.

Is this fine to you?

@M00nF1sh
Copy link
Collaborator

/test pull-aws-alb-ingress-controller-unit-test

@rifelpet
Copy link
Contributor Author

Interesting idea regarding security groups. If a node has multiple security groups attached, how will the controller choose which security group to update? We define one of our nodes' security groups in terraform and would prefer it not be changed by anything but terraform. If we can choose which security group the controller will update, or have the controller create one new security group, attach it to nodes, and use it for all updates, that would be great.

@M00nF1sh
Copy link
Collaborator

M00nF1sh commented Mar 29, 2019
edited
Loading

For each node, the securityGroup will be choose as follows(follow same logic as kubernetes support for CLB/NLB):
If there are multiple SG tagged with cluster tag, an error will be rised.
Else If there are one SG tagged with cluster tag, it will be choosen.
Else if there only one un-tagged securityGroup, it will be choosen.

The rules will be updated for all choose securityGroup to allow ingress traffic from auto-generated LB securityGroup.
Will this be good enough to not have an auto-created node securityGroup for nodes? or there are some use case i missed that requires it.

BTW, for We define one of our nodes' security groups in terraform and would prefer it not be changed by anything but terraform, if you use CLB/NLB(serviceType=LoadBalancer), kubenets will update that securityGroup using rules i described above.

@rifelpet
Copy link
Contributor Author

That makes sense and is sufficient for our situation. thanks!

@rifelpet
Copy link
Contributor Author

rifelpet commented Apr 1, 2019

/test pull-aws-alb-ingress-controller-unit-test

1 similar comment
@rifelpet
Copy link
Contributor Author

rifelpet commented Apr 9, 2019

/test pull-aws-alb-ingress-controller-unit-test

@rifelpet
Copy link
Contributor Author

rifelpet commented Apr 9, 2019

@M00nF1sh any idea why the unit tests are failing?

@M00nF1sh
Copy link
Collaborator

@M00nF1sh any idea why the unit tests are failing?

#915 will fix it 😄

@rifelpet
Add support for shared subnets
28834c2 
This currently requires that security groups be defined in the ingress annotation
@rifelpet
Copy link
Contributor Author

@M00nF1sh I rebased and all tests now pass. Thanks for fixing that.

@M00nF1sh
Copy link
Collaborator

an caveat: you'll need to manually clean up the LB when you delete the loadbalancer.(otherwise, this will fail deletion in shared subnets case)

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 10, 2019
@M00nF1sh
Copy link
Collaborator

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 10, 2019
@k8s-ci-robot k8s-ci-robot merged commit bbf005d into kubernetes-sigs:master Apr 10, 2019
@lutierigb lutierigb mentioned this pull request Aug 2, 2019
Closed
@mvillumsen mvillumsen mentioned this pull request Aug 13, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bigkraig bigkraig Awaiting requested review from bigkraig

@M00nF1sh M00nF1sh Awaiting requested review from M00nF1sh

Assignees

@M00nF1sh M00nF1sh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rifelpet @M00nF1sh @k8s-ci-robot