User Story:
As an OpenShift Engineer I want research options to create a service LB type NLB with Security Group as opt-in so admins can deploy a new cluster, or migrate existing ingress, without disrupting the default flow in upstream AWS cloud controller manager.

Description:

Background Information: The current AWS Cloud Controller Manager (CCM) in OpenShift lacks the ability to directly associate AWS Security Groups with Network Load Balancers (NLBs). AWS has recently introduced native support for this feature. This research analyzes a proposed implementation within the OpenShift cloud-provider-aws repository to provide opt-in support for managing NLB security groups.

Potential Improvements: The proposed solution introduces a new annotation, service.beta.kubernetes.io/aws-load-balancer-manage-security-group, to enable managed security groups for NLBs. The code changes include modifications to handle both ingress and egress rules, a new function to create security group rules for NLBs, and logic to manage the lifecycle of these security groups. The implementation appears to align with the goal of providing minimal and opt-in support.

Security Considerations: The research highlights the importance of addressing the default "ALLOW ALL" egress rule and recommends restricting it to the necessary ports and protocols. It also suggests considering more granular egress configuration in the future and emphasizes the need for clear documentation and potential webhook validation to prevent misconfigurations.

Acceptance Criteria:

• Analysis of the provided code diff for implementing opt-in NLB security group management in the OpenShift CCM.
• Identification of the new service.beta.kubernetes.io/aws-load-balancer-manage-security-group annotation and its intended functionality.
• Assessment of the code changes related to security group rule management, including ingress and egress.
• Evaluation of the alignment of the proposed implementation with the "minimal support" goal.
• Identification of potential security implications and recommendations for improvement, particularly regarding the default egress rule.

Other Information:

• Link to the Pull Request: https://github.com/openshift/cloud-provider-aws/pull/107
• Key files analyzed: docs/service_controller.md, pkg/providers/v1/aws.go, pkg/providers/v1/aws_loadbalancer.go.
• Recommendation: Address the TODO comment regarding the default "ALLOW ALL" egress rule to enhance security. Consider adding webhook validation for the new annotation. Ensure comprehensive testing of the new functionality.

issue created by splat-bot

created from thread: https://redhat-internal.slack.com/archives/G012C6LKVM2/p1747166302402069