filter redundant health check SG rules

Author: kishorj

pkg/service/model_build_target_group.go

@@ -5,20 +5,21 @@ import (
 "crypto/sha256"
 "encoding/hex"
 "fmt"
+"regexp"
+"sort"
+"strconv"
+"strings"
+
 "github.com/aws/aws-sdk-go/aws"
 "github.com/pkg/errors"
 corev1 "k8s.io/api/core/v1"
 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 "k8s.io/apimachinery/pkg/types"
 "k8s.io/apimachinery/pkg/util/intstr"
-"regexp"
 elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 "sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
-"sort"
-"strconv"
-"strings"
 )
 
 const (
@@ -395,9 +396,10 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
 }, nil
 }
 
-func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, defaultSourceRanges []string) []elbv2model.NetworkingPeer {
+func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, defaultSourceRanges []string) ([]elbv2model.NetworkingPeer, bool) {
 var sourceRanges []string
 var peers []elbv2model.NetworkingPeer
+customSourceRangesConfigured := true
 for _, cidr := range t.service.Spec.LoadBalancerSourceRanges {
 sourceRanges = append(sourceRanges, cidr)
 }
@@ -406,6 +408,7 @@ func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, de
 }
 if len(sourceRanges) == 0 {
 sourceRanges = defaultSourceRanges
+customSourceRangesConfigured = false
 }
 for _, cidr := range sourceRanges {
 peers = append(peers, elbv2model.NetworkingPeer{
@@ -414,7 +417,7 @@ func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context, de
 },
 })
 }
-return peers
+return peers, customSourceRangesConfigured
 }
 
 func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, tgPort intstr.IntOrString, preserveClientIP bool,
@@ -438,8 +441,9 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
 },
 }
 trafficSource := fromVPC
+customSourceRangesConfigured := false
 if networkingProtocol == elbv2api.NetworkingProtocolUDP || preserveClientIP {
-trafficSource = t.buildPeersFromSourceRanges(ctx, defaultSourceRanges)
+trafficSource, customSourceRangesConfigured = t.buildPeersFromSourceRanges(ctx, defaultSourceRanges)
 }
 tgbNetworking := &elbv2model.TargetGroupBindingNetworking{
 Ingress: []elbv2model.NetworkingIngressRule{
@@ -449,21 +453,9 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
 },
 },
 }
-if preserveClientIP || tgProtocol == corev1.ProtocolUDP || (hcPort.String() != healthCheckPortTrafficPort && hcPort.IntValue() != tgPort.IntValue()) {
-var healthCheckPorts []elbv2api.NetworkingPort
-networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
-networkingHealthCheckPort := hcPort
-if hcPort.String() == healthCheckPortTrafficPort {
-networkingHealthCheckPort = tgPort
-}
-healthCheckPorts = append(healthCheckPorts, elbv2api.NetworkingPort{
-Port: &networkingHealthCheckPort,
-Protocol: &networkingProtocolTCP,
-})
-tgbNetworking.Ingress = append(tgbNetworking.Ingress, elbv2model.NetworkingIngressRule{
-From: fromVPC,
-Ports: healthCheckPorts,
-})
+if hcIngressRules := t.buildHealthCheckNetworkingIngressRules(trafficSource, fromVPC, tgPort, hcPort, tgProtocol,
+preserveClientIP, customSourceRangesConfigured); len(hcIngressRules) > 0 {
+tgbNetworking.Ingress = append(tgbNetworking.Ingress, hcIngressRules...)
 }
 return tgbNetworking
 }
@@ -483,3 +475,35 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNodeSelector(_ context.Co
 MatchLabels: targetNodeLabels,
 }, nil
 }
+
+func (t *defaultModelBuildTask) buildHealthCheckNetworkingIngressRules(trafficSource, hcSource []elbv2model.NetworkingPeer, tgPort, hcPort intstr.IntOrString,
+tgProtocol corev1.Protocol, preserveClientIP, customSoureRanges bool) []elbv2model.NetworkingIngressRule {
+if tgProtocol != corev1.ProtocolUDP &&
+(hcPort.String() == healthCheckPortTrafficPort || hcPort.IntValue() == tgPort.IntValue()) {
+if !preserveClientIP {
+return []elbv2model.NetworkingIngressRule{}
+}
+if !customSoureRanges {
+return []elbv2model.NetworkingIngressRule{}
+}
+for _, src := range trafficSource {
+if src.IPBlock.CIDR == "0.0.0.0/0" {
+return []elbv2model.NetworkingIngressRule{}
+}
+}
+}
+var healthCheckPorts []elbv2api.NetworkingPort
+networkingProtocolTCP := elbv2api.NetworkingProtocolTCP
+networkingHealthCheckPort := hcPort
+if hcPort.String() == healthCheckPortTrafficPort {
+networkingHealthCheckPort = tgPort
+}
+healthCheckPorts = append(healthCheckPorts, elbv2api.NetworkingPort{
+Port: &networkingHealthCheckPort,
+Protocol: &networkingProtocolTCP,
+})
+return []elbv2model.NetworkingIngressRule{{
+From: hcSource,
+Ports: healthCheckPorts,
+}}
+}

pkg/service/model_build_target_group_test.go

@@ -624,26 +624,6 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworking(t *testing.T
 },
 },
 },
-{
-From: []elbv2.NetworkingPeer{
-{
-IPBlock: &elbv2api.IPBlock{
-CIDR: "172.16.0.0/19",
-},
-},
-{
-IPBlock: &elbv2api.IPBlock{
-CIDR: "1.2.3.4/19",
-},
-},
-},
-Ports: []elbv2api.NetworkingPort{
-{
-Protocol: &networkingProtocolTCP,
-Port: &port80,
-},
-},
-},
 },
 },
 },
@@ -837,6 +817,57 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworking(t *testing.T
 },
 },
 },
+{
+name: "tcp-service with preserve Client IP, hc is traffic port, source range specified and contains 0/0",
+svc: &corev1.Service{
+Spec: corev1.ServiceSpec{
+LoadBalancerSourceRanges: []string{"10.0.0.0/16", "1.2.3.4/24", "0.0.0.0/0"},
+},
+},
+tgPort: port80,
+hcPort: port80,
+subnets: []*ec2.Subnet{
+{
+CidrBlock: aws.String("172.16.0.0/19"),
+SubnetId: aws.String("sn-1"),
+},
+{
+CidrBlock: aws.String("1.2.3.4/19"),
+SubnetId: aws.String("sn-2"),
+},
+},
+tgProtocol: corev1.ProtocolTCP,
+preserveClientIP: true,
+want: &elbv2.TargetGroupBindingNetworking{
+Ingress: []elbv2.NetworkingIngressRule{
+{
+From: []elbv2.NetworkingPeer{
+{
+IPBlock: &elbv2api.IPBlock{
+CIDR: "10.0.0.0/16",
+},
+},
+{
+IPBlock: &elbv2api.IPBlock{
+CIDR: "1.2.3.4/24",
+},
+},
+{
+IPBlock: &elbv2api.IPBlock{
+CIDR: "0.0.0.0/0",
+},
+},
+},
+Ports: []elbv2api.NetworkingPort{
+{
+Protocol: &networkingProtocolTCP,
+Port: &port80,
+},
+},
+},
+},
+},
+},
 }
 for _, tt := range tests {
 t.Run(tt.name, func(t *testing.T) {

pkg/service/model_builder_test.go

@@ -1265,31 +1265,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
  "port":31223
  }
  ]
- },
- {
- "from":[
- {
- "ipBlock":{
- "cidr":"192.168.0.0/19"
- }
- },
- {
- "ipBlock":{
- "cidr":"192.168.32.0/19"
- }
- },
- {
- "ipBlock":{
- "cidr":"192.168.64.0/19"
- }
- }
- ],
- "ports":[
- {
- "protocol":"TCP",
- "port":31223
- }
- ]
  }
  ]
  }
@@ -1330,31 +1305,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
  "port":32323
  }
  ]
- },
- {
- "from":[
- {
- "ipBlock":{
- "cidr":"192.168.0.0/19"
- }
- },
- {
- "ipBlock":{
- "cidr":"192.168.32.0/19"
- }
- },
- {
- "ipBlock":{
- "cidr":"192.168.64.0/19"
- }
- }
- ],
- "ports":[
- {
- "protocol":"TCP",
- "port":32323
- }
- ]
  }
  ]
  }
@@ -1974,21 +1924,6 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) {
  "port": 80
  }
  ]
- },
- {
- "from": [
- {
- "ipBlock": {
- "cidr": "192.168.0.0/19"
- }
- }
- ],
- "ports": [
- {
- "protocol": "TCP",
- "port": 80
- }
- ]
  }
  ]
  },