Skip to content

NACL: Rules are not created properly #2374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
itaiatu opened this issue Mar 12, 2025 · 2 comments · Fixed by aws-controllers-k8s/ec2-controller#252
Closed

NACL: Rules are not created properly #2374

itaiatu opened this issue Mar 12, 2025 · 2 comments · Fixed by aws-controllers-k8s/ec2-controller#252
Assignees
@rushmash91
Labels
priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. target/q1-2025 Issues scheduled for Q1 in 2025

Comments

@itaiatu
Copy link

itaiatu commented Mar 12, 2025

Describe the bug
NACL rules are not created properly in the AWS console.
This is a follow-up issue of #2241.

Steps to reproduce
I have created the following NACL in the k8s cluster

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: NetworkACL
metadata:
  name: demo-itaiatu-test2
  namespace: sbx-clusters
  annotations:
    services.k8s.aws/region: us-east-1
spec:
  associations:
    - subnetID: subnet-04ceee7dff3fe90f4
  entries:
    - cidrBlock: 0.0.0.0/0
      egress: false
      protocol: "6"
      portRange:
        from: 80
        to: 80
      ruleAction: allow
      ruleNumber: 100
  vpcID: vpc-0361ffbb3d7a097e4
  tags:
    - key: Name
      value: demo-itaiatu-test2

Object's status

...
  tags:
  - key: Name
    value: demo-itaiatu-test2
  vpcID: vpc-0361ffbb3d7a097e4
status:
  ackResourceMetadata:
    ownerAccountID: "258057316678"
    region: us-east-1
  conditions:
  - lastTransitionTime: "2025-03-12T13:31:52Z"
    message: Resource synced successfully
    reason: ""
    status: "True"
    type: ACK.ResourceSynced
  id: acl-0a15a4c496cd94e55
  isDefault: false
  ownerID: "258057316678"

Image

When looking in the AWS Console, in the first ~10 minutes, demo-itaiatu-test2 NACL didn't have the 100 rule, but only the default ones (even if the status - posted above - said that the resource is synced)

After ~10 minutes (maybe on the next reconciliation - object updates), the rule with number 100 appeared in the console.
Image

Another weird part is that on the default NACL, the rule with number 100 is added, but with wrong protocol and portRange, both on Ingress and Egress.

  • Ingress
    Image
  • Egress
    Image

Expected outcome
Same as #2241.

Environment

  • Kubernetes version 1.29
  • Using EKS (yes/no), if so version? 1.29
  • AWS service targeted (S3, RDS, etc.) EC2 v1.3.7
@a-hilaly a-hilaly added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Mar 12, 2025
@eqe-aws eqe-aws added the target/q1-2025 Issues scheduled for Q1 in 2025 label Mar 12, 2025
@eqe-aws
Copy link
Contributor

eqe-aws commented Mar 13, 2025

We are looking into this.

@rushmash91 rushmash91 mentioned this issue Mar 25, 2025
Merged
@rushmash91
Copy link
Member

rushmash91 commented Mar 25, 2025
edited
Loading

Hi @itaiatu ,
Thank you for reporting the issue.

The default NACL behavior you are noticing with the rule number 100 is expected. AWS creates those for your VPC. You can read more about it here: Default network ACL for a VPC.

Will be sending a patch for the creation delay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rushmash91 rushmash91

Labels
priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. target/q1-2025 Issues scheduled for Q1 in 2025
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(NetworkACL): Filter Default Rules from Delta rushmash91/ec2-controller
4 participants
@a-hilaly @rushmash91 @eqe-aws @itaiatu