Skip to content

SecurityGroup userIdGroupPairs groupRef does not use the referenced id #2101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kejne opened this issue Jun 27, 2024 · 2 comments
Closed

SecurityGroup userIdGroupPairs groupRef does not use the referenced id #2101

kejne opened this issue Jun 27, 2024 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller.

Comments

@kejne
Copy link

kejne commented Jun 27, 2024

Describe the bug

Checked out the fairly new issue #2058 that was closed and followed that information (the information on https://aws-controllers-k8s.github.io/community/reference/ec2/v1alpha1/securitygroup/ seems to be outdated - so something seems to not work with the publishing)

Tried it out, but it seems like it is not able to translate into the groupID when using the AWS API.

The resulting crd when applying the changes:

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
...
spec:
  ingressRules:
    - fromPort: 443
      ipProtocol: tcp
      toPort: 443
      userIDGroupPairs:
        - groupRef:
            from:
              name: sgName
          userID: 'account'
  name: aSgGroup
  vpcRef:
    - from:
        name: ourVpc
status:
  ackResourceMetadata:
    ownerAccountID: 'account'
    region: eu-west-1
  conditions:
    - lastTransitionTime: '2024-06-27T11:13:07Z'
      status: 'True'
      type: ACK.ReferencesResolved
    - message: "VPCIdNotSpecified: No default VPC for this user\n\tstatus code: 400, request id: 089a7ea4-5ff7-4bc1-987f-d73d87f398f1"
      status: 'True'
      type: ACK.Recoverable
    - lastTransitionTime: '2024-06-27T11:13:08Z'
      message: >-
        Unable to determine if desired resource state matches latest observed
        state
      reason: "VPCIdNotSpecified: No default VPC for this user\n\tstatus code: 400, request id: 089a7ea4-5ff7-4bc1-987f-d73d87f398f1"
      status: Unknown
      type: ACK.ResourceSynced
  id: theSgGroupId

Cloudtrail excerpt:

 "requestParameters": {
        "groupId": "sg-0b059064b8e4e4620",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 443,
                    "toPort": 443,
                    "groups": {
                        "items": [
                            {
                                "userId": "account",
                                "groupName": "sgName",
                                "vpcId": "vpc-XXXXXXXXXXX"
                            }
                        ]
                    },
                    "ipRanges": {},
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },

Steps to reproduce
Create a securityGroup within a VPC

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: VPC
metadata:
  name: default
spec:
  amazonProvidedIPv6CIDRBlock: false
  cidrBlocks:
    - 10.124.0.0/21
    - 100.64.0.0/16
  enableDNSHostnames: true
  enableDNSSupport: true
  tags:
    - key: Name
      value: default
---
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  name: default-cluster
spec:
  description: "Allow traffic to the VPC endpoint from the VPC" 
  name: default-cluster
  vpcRef:
     from:
       name: default
  egressRules:
    - ipProtocol: "-1"
      fromPort: 0
      toPort: 65535
      ipRanges:
      - cidrIP: "0.0.0.0/0"
        description: Internet
  ingressRules:
    - ipProtocol: "-1"
      fromPort: 0
      toPort: 65535
      ipRanges:
        - cidrIP: 10.124.0.0/21
          description: default CIDR
---
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  name: default-cluster-additional
spec:
  name: default-cluster-additional
  vpcID: vpc-02f8b2038f5d17119
  ingressRules:
    - ipProtocol: "tcp"
      fromPort: 443
      toPort: 443
      userIDGroupPairs:
        - groupRef: 
            from:
              name: default-cluster
          vpcRef:
            from:
              name: default
          userID: "default"

Expected outcome
The AWS API is called using the security group id rather than the name.
The request towards AWS should be similar to:

 "requestParameters": {
        "groupId": "sg-0b059064b8e4e4620",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 443,
                    "toPort": 443,
                    "groups": {
                        "items": [
                            {
                                "userId": "account",
# This should contain "groupId": "sgXXXXXXXX"
                                "vpcId": "vpc-XXXXXXXXXXXXX"
                            }
                        ]
                    },
                    "ipRanges": {},
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },

Environment

  • Kubernetes version 1.30
  • Using eks.2
  • EC2 - SecurityGroup
  • Provider version 1.2.12
@kejne kejne mentioned this issue Jun 27, 2024
Merged
@kejne
Copy link
Author

kejne commented Jun 27, 2024

Provided a PR which should give the proper behavior

ack-prow bot pushed a commit to aws-controllers-k8s/ec2-controller that referenced this issue Jun 28, 2024
@kejne
fix(securityGroup): groupRef in userIDGroupPairs references id instea…
e2327ad 
…d of name (#203)

Handles issues [#2101](aws-controllers-k8s/community#2101)

GroupId is populated instead of the groupName (which would be the same as the name passed in as reference) when using the groupRef solution.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@a-hilaly a-hilaly added kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller. labels Jun 28, 2024
@kejne kejne mentioned this issue Jun 28, 2024
Merged
ack-prow bot pushed a commit to aws-controllers-k8s/ec2-controller that referenced this issue Jun 28, 2024
@kejne
Release v1.2.13 (#204)
33f3fff 
Release for: aws-controllers-k8s/community#2101

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@kejne
Copy link
Author

kejne commented Jun 28, 2024

Confirmed to work after fix!
image

@kejne kejne closed this as completed Jun 28, 2024
nnbu pushed a commit to nnbu/ack-ec2-controller that referenced this issue Sep 18, 2024
@kejne
fix(securityGroup): groupRef in userIDGroupPairs references id instea…
a021fa4 
…d of name (aws-controllers-k8s#203)

Handles issues [#2101](aws-controllers-k8s/community#2101)

GroupId is populated instead of the groupName (which would be the same as the name passed in as reference) when using the groupRef solution.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
nnbu pushed a commit to nnbu/ack-ec2-controller that referenced this issue Sep 18, 2024
@kejne
Release v1.2.13 (aws-controllers-k8s#204)
ee2d16c 
Release for: aws-controllers-k8s/community#2101

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. service/ec2 Indicates issues or PRs that are related to ec2-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a-hilaly @kejne