-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixup(sg-resolver): Allow multiple SGs with the same Name tag #3775
Conversation
Welcome @alloveras! |
Hi @alloveras. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
c6e87d1
to
451d9b9
Compare
Thank for your contribution. We will start reviewing this. |
/lgtm |
/assign @oliviassss @wweiwei-li |
sgs, err := r.ec2Client.DescribeSecurityGroupsAsList(ctx, req) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
resolvedSGNames := make([]string, 0, len(sgs)) | ||
for _, sg := range sgs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to add nil check for the sgs
and sg.Tags
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the Golang specification tells us that these would be unnecessarily redundant.
A "for" statement with a "range" clause iterates through all entries of an array, slice, string or map, values received on a channel, or integer values from zero to an upper limit [Go 1.22]. For each entry it assigns iteration values to corresponding iteration variables if present and then executes the block.
...
For an array, pointer to array, or slice value a, the index iteration [...] For a nil slice, the number of iterations is 0.
Source: https://go.dev/ref/spec#For_range
Example: https://go.dev/play/p/vBe3S9lbhvh
That said, if you feel strongly about having them or is a common pattern in the codebase I am more than happy to add an extra commit with the additional nil
checks 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah for the sgs
it was fine, but how about sg.Tags
? I know in this function we are filtering by tags, so the returned sgs should have Tags
field, but just in case if some code changes in the future and we miss this, it will error out because the controller does not check whether there's a Tag spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but how about sg.Tags?
I think for sg.Tags
the reasoning is the the same 🤔? Also, if the listing code changes and the returned SecurityGroup
struct removes/renames the Tags
field, that will produce a compiler error and, hence, we will detect it immediately. Am I missing something?
args: args{ | ||
nameOrIDs: []string{ | ||
"sg group one", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we keep a negative test case for the mix name&ids ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed 12a7953 to add the negative test for mix name & ids as well as improve error reporting a little bit.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alloveras, oliviassss, shraddhabang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hey @oliviassss, Thank you! |
Hey @alloveras , The patch release v2.8.3 was done just to address a CVE. We have planned to inclde these changes in v2.9.0. |
Issue
I looked but couldn't find any open issues about the problem this pull request intends to solve.
Description
The current implementation of
ResolveViaNameOrID
incorrectly assumes that searching security groups by theName
tag will always yield a single resource per searched name. This is incorrect because AWS allows multiple security groups in the same VPC to share the sameName
tag.In practice, this issue manifests in the form of a rather cryptic runtime error:
Our particular use case is the following:
We have a large set of IP ranges that we need to allow ingress from in our ALBs. Unfortunately, the number of CIDR ranges we need to allow lists is bigger than the default maximum quota of 60 ingress rules per security group. To remediate that, we created multiple security groups all with different IDs but with the same
tag:Name=allow-ingress-from-xyz
, and spread the CIDR ranges across them.We have some automation in place to create/delete these security group resources when the number of allowed CIDR ranges changes. Hence, we cannot hard-code the security group IDs in the
alb.ingress.kubernetes.io/security-groups
annotation. Instead, we would like the controller to dynamically resolve the security group IDs to attach to the ALB from the specified security group names in the annotation.In the current implementation, the approach described above works if and only if all the security group names specified in the annotation resolve to a single security group ID (1-to-1 mapping). Otherwise, the controller errors out with the error message shown above.
The approach I've taken to solve this problem is the following:
For ID-based lookups, it is correct to assume that the number of security group IDs requested needs to match with the number of security group IDs found. That is because, within a VPC, security group IDs are unique.
For name-based lookups, each given name needs to match one or more security groups.
To implement that, I moved the "response correctness" logic from the
ResolveViaNameOrID
to the respectiveresolveViaGroupID
andresolveViaGroupName
so that it can be slightly different on each search strategy.Checklist
README.md
, or thedocs
directory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯