Ensure removal of security group rules on deleting load balancers #752
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
size/M
|
We're recommending that folks run the separate load balancer controller: https://github.com/kubernetes-sigs/aws-load-balancer-controller Instead of using the legacy service controller here. Do you see this issue with that controller as well? |
|
As far as I know, this bug only exists in the classic load balancer code path, which has no parallel in the load balancer controller. Until recently, NLBs didn't even support security groups right? While I appreciate that there's a new way to do things and you can recommend moving people across, the CLB has no equivalent support and as such, still needs to be supported here, and this is a fairly major bug that requires users to manually enter the AWS console/CLI to remove resources to be able to clean up their environment. Else they are leaked. Note as well that the controllers logic today will happily remove the load balancer and service object, leaking the resources and not even giving the user any indication that resources were leaked, I think this is pretty bad behaviour for a controller like this. |
|
/retest CI should be fixed now |
JoelSpeed
force-pushed
the
remove-sg-rules-untagged-groups
branch
from
60fe9aa
to
09471b9
Compare
|
Any of the maintainers able to give this bug a review please? |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
lifecycle/stale
|
Any indication that this might be an acceptable patch? The bug is still present |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen Any AWS maintainers able to review this bug? |
|
@JoelSpeed: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
changes mostly looks good, can we do a rebase? |
JoelSpeed
force-pushed
the
remove-sg-rules-untagged-groups
branch
from
09471b9
to
4ee1d55
Compare
k8s-ci-robot
removed
the
needs-rebase
|
The E2E failures here don't look to be related as far as I can tell, @kmala do you agree or do I need to look deeper? |
they are happening for other PR's also #1016 (comment) . Looking at the reason for the issue. |
|
@JoelSpeed can you rebase such that the e2e works as its been fixed |
JoelSpeed
force-pushed
the
remove-sg-rules-untagged-groups
branch
from
4ee1d55
to
912f047
Compare
|
I think Prow is supposed to handle that for you, but I've rebased anyway |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kmala The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR updates the load balancer security group update logic for ELBs so that we can actually delete a security group when there is an untagged group present.
In the current flow, we can add rules to the security group if it is untagged, but we cannot remove them since the logic excludes untagged groups from the
actualGroupslist. When we are deleting the load balancer and deleting the security group, we need to make sure that we remove all rules that refer to the security group else the security group deletion will reach a dependency violation deadlock.To ensure compatibility with BYO security groups, the code ensures that we only pass the
isDeletingparameter as true when the existing logic determines that the load balancer should be removing the security group already. This should mean that we only do the full removal of all references when we are about to delete the security group, and if the security group is being left over, we won't remove any references - I don't think in the BYO security group case we have any way to track what we have added so I can't fix that bug here.Which issue(s) this PR fixes:
Fixes #566
Special notes for your reviewer:
Does this PR introduce a user-facing change?: