Skip to content

Commit 2cbd9ad

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #5030 from r4f4/fix-5029
🐛: elbv2: skip adding security groups to NLB in secret regions
2 parents abe918c + dc6ee06 commit 2cbd9ad

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

pkg/cloud/services/elb/loadbalancer.go

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,9 @@ const apiServerTargetGroupPrefix = "apiserver-target-"
6464
// listeners.
6565
const additionalTargetGroupPrefix = "additional-listener-"
6666

67+
// cantAttachSGToNLBRegions is a set of regions that do not support Security Groups in NLBs.
68+
var cantAttachSGToNLBRegions = sets.New("us-iso-east-1", "us-iso-west-1", "us-isob-east-1")
69+
6770
// ReconcileLoadbalancers reconciles the load balancers for the given cluster.
6871
func (s *Service) ReconcileLoadbalancers() error {
6972
s.scope.Debug("Reconciling load balancers")
@@ -395,6 +398,11 @@ func (s *Service) createLB(spec *infrav1.LoadBalancer, lbSpec *infrav1.AWSLoadBa
395398
input.IpAddressType = aws.String("dualstack")
396399
}
397400

401+
// TODO: remove when security groups on NLBs is supported in all regions.
402+
if cantAttachSGToNLBRegions.Has(s.scope.Region()) {
403+
input.SecurityGroups = nil
404+
}
405+
398406
// Allocate custom addresses (Elastic IP) to internet-facing Load Balancers, when defined.
399407
// Custom, or BYO, Public IPv4 Pool need to be created prior install, and the Pool ID must be
400408
// set in the VpcSpec.ElasticIPPool.PublicIPv4Pool to allow Elastic IP be consumed from
@@ -1788,7 +1796,11 @@ func shouldReconcileSGs(scope scope.ELBScope, lb *infrav1.LoadBalancer, specSGs
17881796
// Once created without a security group, the NLB can never have any added.
17891797
// (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html)
17901798
if lb.LoadBalancerType == infrav1.LoadBalancerTypeNLB && len(lb.SecurityGroupIDs) == 0 {
1791-
scope.Info("Pre-existing NLB %s without security groups, cannot reconcile security groups.", lb.Name)
1799+
if cantAttachSGToNLBRegions.Has(scope.Region()) {
1800+
scope.Info("Region doesn't support NLB security groups, cannot reconcile security groups.", "region", scope.Region(), "elb-name", lb.Name)
1801+
} else {
1802+
scope.Info("Pre-existing NLB without security groups, cannot reconcile security groups.", "elb-name", lb.Name)
1803+
}
17921804
return false
17931805
}
17941806
if !sets.NewString(lb.SecurityGroupIDs...).Equal(sets.NewString(specSGs...)) {

0 commit comments

Comments
 (0)