Skip to content

[SecurityGroup] Resource never resolves when all ingress and egress rules use groupRef #2191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jantzenallphin opened this issue Oct 15, 2024 · 2 comments
Closed

[SecurityGroup] Resource never resolves when all ingress and egress rules use groupRef #2191

jantzenallphin opened this issue Oct 15, 2024 · 2 comments
Labels
priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. service/ec2 Indicates issues or PRs that are related to ec2-controller.

Comments

@jantzenallphin
Copy link

Describe the bug
We are creating/grouping multiple SecurityGroups ACK objects into a single helm chart. Among these are two SecurityGroups that contain rules that reference each other via userIDGroupPairs using groupRef field. The problem we are facing is a SecurityGroup that references another SecurityGroup in both its egressRules and ingressRules will not successfully sync with no error message. The ack-ec2-controller logs only show that it recognizes it is out of sync and attempts to update the resource over and over again.

This is what the status shows. The references have resolved successfully however the resource sync status remains False forever with no indication as to why it is stuck.

status:
 conditions:
 - lastTransitionTime: "2024-10-15T15:17:00Z"
   status: "True"
   type: ACK.ReferencesResolved
 - lastTransitionTime: "2024-10-15T15:17:06Z"
   reason: ""
   status: "False"
   type: ACK.ResourceSynced

I can see the SecurityGroup is created in AWS console but the ingress and egress rulesets are empty. If I change just the egressRules to use groupID to reference the same SecurityGroup by ID it will resolve.

Steps to reproduce
Create a SecurityGroup likened to this one:

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  name: jallphin02-sbx-va6-k8s-control-plane
  namespace: sbx-clusters
spec:
  description: k8s-control-plane security group rules for jallphin02-sbx-va6
  egressRules:
  - fromPort: 1025
    ipProtocol: tcp
    toPort: 65535
    userIDGroupPairs:
    - description: Allow traffic from control plane to workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  - fromPort: 443
    ipProtocol: tcp
    toPort: 443
    userIDGroupPairs:
    - description: Allow HTTPS traffic from control plane to workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  ingressRules:
  - fromPort: 443
    ipProtocol: tcp
    toPort: 443
    userIDGroupPairs:
    - description: Allow HTTPS access to control tier from workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  name: jallphin02-sbx-va6-k8s-control-plane
  vpcID: <extracted>

Expected outcome
The SecurityGroup should sync to AWS as expected.

Environment

  • Kubernetes version: 1.29
  • Using EKS (yes/no), if so version? 1.29
  • AWS service targeted (S3, RDS, etc.): SecurityGroups
@a-hilaly a-hilaly added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. service/ec2 Indicates issues or PRs that are related to ec2-controller. labels Oct 21, 2024
@TiberiuGC TiberiuGC mentioned this issue Oct 22, 2024
Merged
ack-prow bot pushed a commit to aws-controllers-k8s/ec2-controller that referenced this issue Oct 22, 2024
@TiberiuGC
Resolve egress rules cyclic dependencies for security groups (#229)
09a1b5c 
Issue #, if available: aws-controllers-k8s/community#2191

Description of changes:
- generates the code for resolving egress rules SG references
- updates integration tests to account for egress rules references

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@a-hilaly
Copy link
Member

Thank you @TiberiuGC & @jantzenallphin !!
/close

@ack-prow ack-prow bot closed this as completed Nov 20, 2024
@ack-prow ACK Prow
Copy link

ack-prow bot commented Nov 20, 2024

@a-hilaly: Closing this issue.

In response to this:

Thank you @TiberiuGC & @jantzenallphin !!
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. service/ec2 Indicates issues or PRs that are related to ec2-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a-hilaly @jantzenallphin