Uploaded image for project: 'OpenShift Specialist Platform Team'
  1. OpenShift Specialist Platform Team
  2. SPLAT-2253

[AWS NLB SG]: CCM-upstream feature: Implement support of creating a service load balancer NLB with support of Security Group (through Cloud Config)

    • Product / Portfolio Work
    • True
    • Hide

      Waiting for PR final review by AWS team:
      https://github.com/kubernetes/cloud-provider-aws/pull/1158 (approved by Cloud team)

      Show
      Waiting for PR final review by AWS team: https://github.com/kubernetes/cloud-provider-aws/pull/1158 (approved by Cloud team)
    • False
    • 21
    • 13
    • None
    • OpenShift SPLAT - Sprint 272, OpenShift SPLAT - Sprint 273, OpenShift SPLAT - Sprint 274, OpenShift SPLAT - Sprint 275, OpenShift SPLAT - Sprint 276

      User Story:
      As an OpenShift Engineer I want implement support of creating a service load balancer NLB with support of Security Group so load balancer controller has an opt-in flow to enhance the security posture and best practices.

      Description:

      This story focuses on implementing the functionality within the AWS Cloud Controller Manager (CCM) to allow OpenShift to enforce provision Network Load Balancers (NLBs) with associated Security Groups. Currently, the CCM does not directly support attaching Security Groups to NLBs during provisioning.

      This enhancement will introduce a new CCM configuration that allow the controller reacts the default NLB provisioning when creating LoadBalancer type services to indicate to creaete NLB with a Security Group managed by CCM. This will provide a more granular and AWS-native approach to securing NLBs compared to managing security rules solely on the worker nodes.

      While the AWS Load Balancer Controller (https://github.com/kubernetes-sigs/aws-load-balancer-controller) already offers this capability by default, the goal of this story is to add minimal, opt-in by openshift operator to enforce SG on NLB creation. This approach aims to provide the necessary functionality without requiring changes in the OpenShift Ingress Controller, and other OpenShift components, such as installer, ROSA services, etc.

      Acceptance Criteria:

      • A new cloud configuration, "Global.NLBSecurityGroupEnabled", added to the cloud-provider-aws to change the default behavior when create service type loadbalancer NLB.
      • When a Kubernetes service of type LoadBalancer with the annotation service.beta.kubernetes.io/aws-load-balancer-type: nlb , the CCM will create the Security Group, and provision the NLB associating the Security Groups during creation.
      • If the global configuration, "Global.NLBSecurityGroupEnabled", is not present in the controller config, the CCM will continue with its existing default NLB provisioning behavior without associating any specific Security Groups at the NLB level.
      • If the configuration, "Global.NLBSecurityGroupEnabled", is added to a service type loadBalancer with CLB (Classic load Balancer, annotation aws-load-balancer-type different than nlb ), the controller will ignore the configuration
      • The implementation ensures that the new configuration is strictly opt-in (for CCM) and does not alter the default behavior of CCM for NLB provisioning when the configuration is absent.
      • The implementation ensures that the new configuration is required and enabled by default on OpenShift to enforce CCM always provision service type Loadbalancer NLB with security groups.
        • The Installer must enable the cloud config by default
        • Hypershift must enable this flag (OCM?)
      • The CCM should log appropriate messages indicating whether Security Group are being associated with the NLB based on the presence of the annotation.
      • The documentation for the AWS CCM in OpenShift is updated to include the new global configuration

      Other Information:

      • Related Research:
      • Potential Code Location: Considerations:
        •  

              rhn-support-mrbraga Marco Braga
              rhn-support-mrbraga Marco Braga
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: