Fix leak managed/owned security group on Service update with BYO SG #1209
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @mtulio. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
mtulio
changed the title
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
03f9775 to
83c92f2
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
83c92f2 to
23ba0b3
Compare
|
/test all |
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
23ba0b3 to
0fec46d
Compare
|
Fixing doc strings and failed unit tests from previous unexpected behavior: /test all |
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
0fec46d to
1907542
Compare
|
/test pull-cloud-provider-aws-e2e-kubetest2 |
|
/test all |
|
I can't find connection between failures in pull-cloud-provider-aws-e2e-kubetest2 and existing changes. I am going to convert to regular PR to ask for reviewers while we observe if this isnt a CI flake. PTAL? |
|
e2e test Investigating if the failure converting to draft while increasing debug on internal test of CLB, looks like it's failing to retrieve pod information, checking if this is related to the service account. Once I get more information and isolate the issue I will return to ready. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
6af2646 to
edd4a11
Compare
|
/test pull-cloud-provider-aws-e2e |
Checking if I need to enhance the controller update the sg: /test pull-cloud-provider-aws-e2e |
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
edd4a11 to
f0b38b6
Compare
|
increase verbosity /test pull-cloud-provider-aws-e2e |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
e2e job green. I am also leaving the e2e more verbose in case of test network failures, helping devs troubleshooting easier CI logs of internal connectivity / internal LB. LMK if that makes sense. Converting to regular PR. PTAL? Thanks |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
Converting to draft while I return on it to rebase and run deepen investigation on e2e failures. |
|
FWIW interim update, this PR is still alive and need to be fixed, and proposal could be used in the logic of BYOSG in NLBs. I am planning to return on it next week to rebase and ask for final review with recent updates in the Service NLB and e2e. |
Fix the "managed" (controller-owned) security group leak when user provided security group is added to an existing Service type-loadBalancer CLB.
Introduce unit tests for functions added to validate Service update to BYO Security Group annotations from a managed SG state.
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
f0b38b6 to
e236025
Compare
k8s-ci-robot
removed
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
PR rebased including/merging managed NLB SG, ensuring readiness with new e2e tests validating the fix: /test pull-cloud-provider-aws-e2e |
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
e236025 to
3cf5c63
Compare
|
Fixed conflicts |
Introduce BYO Security Group(SG) update scenario to Service CLB to validate SG leak when user has created a Service CLB with default SG and eventually updated to a user-provided. kubernetes#1208
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
3cf5c63 to
e98e826
Compare
|
small fixes in the e2e for PSP and logging: /test pull-cloud-provider-aws-e2e |
|
e2e is now passing, I am going to polish the e2e. Let’s see other overall: /test all |
5 participants
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR fixes a leaked security group (SG) when a Service type-loadBalancer (CLB) is updated adding the BYO SG annotation (
service.beta.kubernetes.io/aws-load-balancer-security-groups), which replaces all SG added to the Load Balancer without removing rules and deleting it when created by controller.Which issue(s) this PR fixes:
Fixes #1208
Special notes for your reviewer:
The approach of creating isolated function was used specially to:
The unit tests and documentation(function) comments have been assisted by Cursor AI(model claude-4-sonet): AIA HAb SeCeNc Hin R v1.0
Does this PR introduce a user-facing change?: