Skip to content

ec2: networkAcl update fails if ruleAction field has camelcase Allow/Deny #1966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nnbu opened this issue Dec 14, 2023 · 2 comments
Closed

ec2: networkAcl update fails if ruleAction field has camelcase Allow/Deny #1966

nnbu opened this issue Dec 14, 2023 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller.

Comments

@nnbu
Copy link

nnbu commented Dec 14, 2023

Steps to reproduce
Repro steps:

  1. Create CR (Make sure ruleAction field has camelcase Allow/Deny)
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: NetworkACL
metadata:
  name: netacl1
  namespace: default
spec:
  associations:
  - subnetID: subnet-xxxxx1
  - subnetID: subnet-xxxxx2
  entries:
  - cidrBlock: 0.0.0.0/0
    egress: false
    protocol: "-1"
    ruleAction: Allow
    ruleNumber: 100
  vpcID: vpc-xxxx
  1. Update the CR with following
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: NetworkACL
metadata:
  name: netacl1
  namespace: default
spec:
  associations:
  - subnetID: subnet-xxxxx1
  - subnetID: subnet-xxxxx2
  entries:
  - cidrBlock: 0.0.0.0/0
    egress: false
    protocol: "-1"
    ruleAction: Allow
    ruleNumber: 100
  - cidrBlock: 0.0.0.0/0
    egress: true
    protocol: "-1"
    ruleAction: Allow
    ruleNumber: 100
  vpcID: vpc-0xxxx
  1. CR update cause the entry present in first steps to get deleted and ec2 logs show following error
reason: "InvalidNetworkAclEntry.NotFound: no ingress entry with number 100 in
      network ACL acl-xxxx\n\tstatus code: 400, request id: xxxxxxx"

Expected outcome
Update should be successful and we should see both entries (egress and ingress) in aws console

Environment

  • Kubernetes version
  • Using EKS (yes/no), if so version? No
  • AWS service targeted (S3, RDS, etc.)
@nnbu
Copy link
Author

nnbu commented Dec 14, 2023

RCA:
In the step 2 of repro, when update is happening for the CR, entries are compared between desired (CR) and latest (AWS) objects.

latest has ruleAction as lowercase allow because aws always returns lowercase allow. desired has ruleAction as Allow.

delete of the entry with ruleaction allow is triggered first.
Since ruleNumber and egress uniquely determine the entry, in the code, it determines update is also needed because of the change from allow (in latest) to Allow (in desired).

Since the delete gets triggered first, entry is no longer present. Then update is triggered. and we see the error that entry is not present. Hence, update fails

@nnbu nnbu mentioned this issue Dec 14, 2023
Merged
@a-hilaly a-hilaly added kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller. labels Dec 15, 2023
@ack-bot
Copy link
Collaborator

ack-bot commented Jun 12, 2024

Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale

@ack-prow ack-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 12, 2024
@a-hilaly a-hilaly removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 19, 2024
ack-prow bot pushed a commit to aws-controllers-k8s/ec2-controller that referenced this issue Sep 19, 2024
@nnbu
networkAcl update fails if ruleAction field has camelcase Allow/Deny (#…
73fe383 
…169)


Issue [#1966](aws-controllers-k8s/community#1966)

Description of changes:
RCA and steps to reproduce are mentioned in the issue

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@a-hilaly a-hilaly closed this as completed Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@a-hilaly @nnbu @ack-bot