Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5388

Support for Security Groups in AWS Load Balancer Operator

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      2. What is the nature and description of the request?
      The service.beta.kubernetes.io/aws-load-balancer-security-groups annotation is listed in the aws-load-balancer-controller documentation but it is not implemented in ALBO. 

      After installing ALBO, I created the following svc in my cluster:

      kind: Service
      apiVersion: v1
      metadata:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-type: nlb
          service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
          service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: '30769'
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: '30'
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: '2'
          service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: 'true'
          service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: red-hat-managed=true
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: '6'
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: '2'
          service.beta.kubernetes.io/aws-load-balancer-security-groups: sg-0ef825028410aa90a
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
        name: test-svc
        namespace: test-ns
      spec:
        externalTrafficPolicy: Cluster
        ipFamilies:
          - IPv4
        ports:
          - name: HTTP
            protocol: TCP
            port: 80
            targetPort: http
            nodePort: 31389
        internalTrafficPolicy: Cluster
        allocateLoadBalancerNodePorts: true
        type: LoadBalancer
        ipFamilyPolicy: SingleStack
        sessionAffinity: None
      

       The LB was created in AWS but the SecurityGroup was associated with it.
      I checked the CloudTrail event and found the SG wasn't passed as part of the requestParameters:

      {
          "eventVersion": "1.09",
          "userIdentity": {
              "type": "AssumedRole",
              "principalId": "xxxxxxxxxxxxx:i-0dde6ed2f644204df",
              "arn": "arn:aws:sts::xxxxxxxxxxx:assumed-role/ManagedOpenShift-ControlPlane-Role/i-0dde6ed2f644204df",
              "accountId": "xxxxxxxxxxxxxx",
              "accessKeyId": "xxxxxxxxxxxxxxx",
              "sessionContext": {
                  "sessionIssuer": {
                      "type": "Role",
                      "principalId": "xxxxxxxxxx",
                      "arn": "arn:aws:iam::xxxxxxxxxx:role/ManagedOpenShift-ControlPlane-Role",
                      "accountId": "xxxxxxxxxx",
                      "userName": "ManagedOpenShift-ControlPlane-Role"
                  },
                  "attributes": {
                      "creationDate": "2024-04-08T16:24:46Z",
                      "mfaAuthenticated": "false"
                  },
                  "ec2RoleDelivery": "2.0"
              }
          },
          "eventTime": "2024-04-08T16:59:48Z",
          "eventSource": "elasticloadbalancing.amazonaws.com",
          "eventName": "CreateLoadBalancer",
          "awsRegion": "us-west-2",
          "sourceIPAddress": "35.166.144.177",
          "userAgent": "kubernetes/v1.26.14+03ee898 aws-sdk-go/1.44.116 (go1.19.13 X:strictfipsruntime; linux; amd64)",
          "requestParameters": {
              "type": "network",
              "subnetMappings": [
                  {
                      "subnetId": "subnet-046c198d4ede18c27"
                  }
              ],
              "name": "a8ba49654c83543ef87e06596dd927a1",
              "tags": [
                  {
                      "value": "test-ns/test-svc",
                      "key": "kubernetes.io/service-name"
                  },
                  {
                      "value": "true",
                      "key": "red-hat-managed"
                  },
                  {
                      "value": "owned",
                      "key": "kubernetes.io/cluster/gilins-stage-7b82h"
                  }
              ],
              "scheme": "internal"
          },
          "responseElements": {
              "loadBalancers": [
                  {
                      "loadBalancerName": "a8ba49654c83543ef87e06596dd927a1",
                      "state": {
                          "code": "provisioning"
                      },
                      "dNSName": "a8ba49654c83543ef87e06596dd927a1-269d67890b916b9b.elb.us-west-2.amazonaws.com",
                      "canonicalHostedZoneId": "Z18D5FSROUN65G",
                      "loadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxxx:loadbalancer/net/a8ba49654c83543ef87e06596dd927a1/269d67890b916b9b",
                      "type": "network",
                      "vpcId": "vpc-092c579892c95147f",
                      "availabilityZones": [
                          {
                              "loadBalancerAddresses": [],
                              "subnetId": "subnet-046c198d4ede18c27",
                              "zoneName": "us-west-2a"
                          }
                      ],
                      "ipAddressType": "ipv4",
                      "createdTime": "Apr 8, 2024 4:59:48 PM",
                      "enablePrefixForIpv6SourceNat": "off",
                      "scheme": "internal"
                  }
              ]
          },
          "requestID": "30d0a2aa-81e3-42f4-8762-36dbf650c156",
          "eventID": "0116d9dc-4898-45f3-89e9-a71f023b8e8e",
          "readOnly": false,
          "eventType": "AwsApiCall",
          "apiVersion": "2015-12-01",
          "managementEvent": true,
          "recipientAccountId": "244807459070",
          "eventCategory": "Management",
          "tlsDetails": {
              "tlsVersion": "TLSv1.3",
              "cipherSuite": "TLS_AES_128_GCM_SHA256",
              "clientProvidedHostHeader": "elasticloadbalancing.us-west-2.amazonaws.com"
          }
      } 

      3. Why does the customer need this? 
      The customer needs this in place to automate the creation of LBs and make sure they include the Security Groups informed during the LB creation

      4. List any affected packages or components.
      AWS Load Balancer Operator
      AWS Load Balancer Controller

            Unassigned Unassigned
            rhn-support-gilins Givaldo Lins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: