Skip to content

support cli flag to enable manage backend SG rules for ALB #4145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 17, 2025
Merged

support cli flag to enable manage backend SG rules for ALB #4145

merged 1 commit into from
Apr 17, 2025

Conversation

@shuqz
Copy link
Collaborator

@shuqz shuqz commented Apr 15, 2025
edited
Loading

Issue

#4086

Description

This change introduces a new CLI flag named --enable-manage-backend-security-group-rules which takes true|false, default is false. This change applies to ALB for now, NLB will be fast follow-up.

Checklist

  • [✅] Added tests that cover your change (if possible)
  • [✅] Added/modified documentation as required (such as the README.md, or the docs directory)
  • [✅] Manually tested with multiple test cases
Flag: Enable-backend-security-group Flag: Enable-manage-backend-security-group-rules Annotation: manage-backend-security-group-rules Expected Behavior
false true N/A error with backend security group must be enabled when manage backend security group rule is enabled
true true not specified manage backend security group rules by controller enabled
true true false manage backend security group rules by controller NOT enabled
true false true manage backend security group rules by controller enabled
  • [✅] E2E test for ingress & service
  • [✅] Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Apr 15, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.
@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Apr 15, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @shuqz!

It looks like this is your first PR to kubernetes-sigs/aws-load-balancer-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-load-balancer-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 15, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @shuqz. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 15, 2025
zac-nixon
zac-nixon reviewed Apr 15, 2025
View reviewed changes
docs/deploy/security_groups.md Outdated
- To enable managing backend security group rules for all resources, using cli flag `--enable-manage-backend-security-group-rules`
- when set to `true`, the controller will automatically manage backend security group rules for all resources
- individual ingress annotation takes precedence over cli flag, meaning it can be overridden with annotation `alb.ingress.kubernetes.io/manage-backend-security-group-rules: "false"`
- for this to take effect, `--enable-backend-security-group` needs to be true and user explicitly specify security group using annotation: alb.ingress.kubernetes.io/security-groups
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure to include the nlb annotation :) when you add support.
zac-nixon
zac-nixon reviewed Apr 15, 2025
View reviewed changes
pkg/ingress/model_builder.go Outdated
defaultTargetType: elbv2model.TargetType(defaultTargetType),
defaultLoadBalancerScheme: elbv2model.LoadBalancerScheme(defaultLoadBalancerScheme),
enableBackendSG: enableBackendSG,
enableManageBackendSGRules: enableManageBackendSecurityGroupRules,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can you call this defaultEnableManageBackendSGRules to denote that this is the default value.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is defined in a different package(ingress VS config), i can export it if want to. but i do not know why we want to do this. based on the current pattern we have in this function, we do not denote any default value? the default value is assigned in func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) let me know if i misunderstand it.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

synced offline, will update the name
zac-nixon
zac-nixon reviewed Apr 15, 2025
View reviewed changes
pkg/ingress/model_builder.go Outdated
// first check cli flag
if t.enableManageBackendSGRules {
manageSGRules = t.enableManageBackendSGRules
t.logger.Info("Enable manage backend security group rules flag is configured to be true via cli flag.")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this log message might get noisy. Recommend removing it or adding .V(1) to the the log.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i will update it with .V(1)
zac-nixon
zac-nixon reviewed Apr 15, 2025
View reviewed changes
pkg/ingress/model_builder.go Outdated
func (t *defaultModelBuildTask) buildManageSecurityGroupRulesFlag(_ context.Context) (bool, error) {
explicitManageSGRulesFlag := make(map[bool]struct{})
manageSGRules := false
manageSGRules := false // default value
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could save some LoC by just doing

manageSGRules := t.enableManageBackendSGRules
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also found a little bug for case when annotation is not specified, going to fix it
zac-nixon
zac-nixon reviewed Apr 15, 2025
View reviewed changes
pkg/ingress/model_builder.go Outdated
manageSGRules = rawManageSGRule
if rawManageSGRule != manageSGRules {
manageSGRules = rawManageSGRule
t.logger.Info("Override enable manage backend security group rules flag with annotation", "value: ", rawManageSGRule, "for ingress", k8s.NamespacedName(member.Ing).String(), "in ingress yaml file")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment, might get noisy.
shraddhabang
shraddhabang reviewed Apr 16, 2025
View reviewed changes
Copy link
Collaborator

@shraddhabang shraddhabang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 16, 2025
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 16, 2025
@zac-nixon
Copy link
Collaborator

/ok-to-test
@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 17, 2025
@shuqz
support cli flag to enable manage backend SG rules for ALB
dbe9af8 
remove auto-generated file address comments support enable manage backend SG rules for NLB
zac-nixon
zac-nixon approved these changes Apr 17, 2025
View reviewed changes
Copy link
Collaborator

@zac-nixon zac-nixon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 17, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: shuqz, zac-nixon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2025
@wweiwei-li
Copy link
Collaborator

/lgtm
@k8s-ci-robot k8s-ci-robot merged commit 409a680 into kubernetes-sigs:main Apr 17, 2025
5 checks passed
@wweiwei-li wweiwei-li mentioned this pull request Apr 18, 2025
Closed
2 tasks
This was referenced Apr 30, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

5 participants

@shuqz @k8s-ci-robot @zac-nixon @wweiwei-li @shraddhabang