-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
1. Proposed title of this feature request
2. What is the nature and description of the request?
The service.beta.kubernetes.io/aws-load-balancer-security-groups annotation is listed in the aws-load-balancer-controller documentation but it is not implemented in ALBO.
After installing ALBO, I created the following svc in my cluster:
kind: Service apiVersion: v1 metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-internal: 'true' service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: '30769' service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: '30' service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: '2' service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: 'true' service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: red-hat-managed=true service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: '6' service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: '2' service.beta.kubernetes.io/aws-load-balancer-security-groups: sg-0ef825028410aa90a service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http name: test-svc namespace: test-ns spec: externalTrafficPolicy: Cluster ipFamilies: - IPv4 ports: - name: HTTP protocol: TCP port: 80 targetPort: http nodePort: 31389 internalTrafficPolicy: Cluster allocateLoadBalancerNodePorts: true type: LoadBalancer ipFamilyPolicy: SingleStack sessionAffinity: None
The LB was created in AWS but the SecurityGroup was associated with it.
I checked the CloudTrail event and found the SG wasn't passed as part of the requestParameters:
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxx:i-0dde6ed2f644204df", "arn": "arn:aws:sts::xxxxxxxxxxx:assumed-role/ManagedOpenShift-ControlPlane-Role/i-0dde6ed2f644204df", "accountId": "xxxxxxxxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxx:role/ManagedOpenShift-ControlPlane-Role", "accountId": "xxxxxxxxxx", "userName": "ManagedOpenShift-ControlPlane-Role" }, "attributes": { "creationDate": "2024-04-08T16:24:46Z", "mfaAuthenticated": "false" }, "ec2RoleDelivery": "2.0" } }, "eventTime": "2024-04-08T16:59:48Z", "eventSource": "elasticloadbalancing.amazonaws.com", "eventName": "CreateLoadBalancer", "awsRegion": "us-west-2", "sourceIPAddress": "35.166.144.177", "userAgent": "kubernetes/v1.26.14+03ee898 aws-sdk-go/1.44.116 (go1.19.13 X:strictfipsruntime; linux; amd64)", "requestParameters": { "type": "network", "subnetMappings": [ { "subnetId": "subnet-046c198d4ede18c27" } ], "name": "a8ba49654c83543ef87e06596dd927a1", "tags": [ { "value": "test-ns/test-svc", "key": "kubernetes.io/service-name" }, { "value": "true", "key": "red-hat-managed" }, { "value": "owned", "key": "kubernetes.io/cluster/gilins-stage-7b82h" } ], "scheme": "internal" }, "responseElements": { "loadBalancers": [ { "loadBalancerName": "a8ba49654c83543ef87e06596dd927a1", "state": { "code": "provisioning" }, "dNSName": "a8ba49654c83543ef87e06596dd927a1-269d67890b916b9b.elb.us-west-2.amazonaws.com", "canonicalHostedZoneId": "Z18D5FSROUN65G", "loadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxxx:loadbalancer/net/a8ba49654c83543ef87e06596dd927a1/269d67890b916b9b", "type": "network", "vpcId": "vpc-092c579892c95147f", "availabilityZones": [ { "loadBalancerAddresses": [], "subnetId": "subnet-046c198d4ede18c27", "zoneName": "us-west-2a" } ], "ipAddressType": "ipv4", "createdTime": "Apr 8, 2024 4:59:48 PM", "enablePrefixForIpv6SourceNat": "off", "scheme": "internal" } ] }, "requestID": "30d0a2aa-81e3-42f4-8762-36dbf650c156", "eventID": "0116d9dc-4898-45f3-89e9-a71f023b8e8e", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2015-12-01", "managementEvent": true, "recipientAccountId": "244807459070", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "elasticloadbalancing.us-west-2.amazonaws.com" } }
3. Why does the customer need this?
The customer needs this in place to automate the creation of LBs and make sure they include the Security Groups informed during the LB creation
4. List any affected packages or components.
AWS Load Balancer Operator
AWS Load Balancer Controller
- duplicates
-
RFE-4812 Security groups for Network Load Balancer
- Accepted