Feature: Add option to delete default SG rule created upon VPC creation #212
Conversation
ack-prow
bot
added
the
do-not-merge/work-in-progress
|
Hi @nnbu. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ack-prow
bot
added
the
needs-ok-to-test
nnbu
force-pushed
the
delDefaultSG
branch
5 times, most recently
from
b316b1e to
b8f2c63
Compare
nnbu
changed the title
ack-prow
bot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
ack-prow
bot
added
ok-to-test
pkg/resource/vpc/sdk.go
Outdated
| @@ -207,6 +207,15 @@ func (rm *resourceManager) sdkFind( | |||
| ko.Spec.EnableDNSSupport = dnsAttrs.EnableSupport | |||
| ko.Spec.EnableDNSHostnames = dnsAttrs.EnableHostnames | |||
| } | |||
| defaultSGRuleExist, err := rm.hasDefaultSecurityGroupRule(ctx, &resource{ko}) | |||
pkg/resource/vpc/hooks.go
Outdated
| return nil, err | ||
| } | ||
|
|
||
| return resp.SecurityGroups[0].GroupId, nil |
There was a problem hiding this comment.
I guess it's safe to access [0] here, since default SG can't be deleted?
There was a problem hiding this comment.
yes, default SG has to be present. But I guess, it does not hurt checking for the access. So, I added it now
pkg/resource/vpc/hooks.go
Outdated
| func toStrPtr(str string) *string { | ||
| return &str | ||
| } | ||
|
|
||
| func toInt64Ptr(integer int64) *int64 { | ||
| return &integer | ||
| } |
There was a problem hiding this comment.
nit:
func ptr[t T](target T) *T { return &t }| if rule.CidrIpv4 == nil || rule.FromPort == nil || rule.ToPort == nil || rule.IpProtocol == nil || rule.IsEgress == nil { | ||
| return false | ||
| } | ||
|
|
||
| if *rule.CidrIpv4 == "0.0.0.0/0" && | ||
| *rule.FromPort == -1 && | ||
| *rule.ToPort == -1 && | ||
| *rule.IpProtocol == "-1" && | ||
| *rule.IsEgress { | ||
| return true | ||
| } |
There was a problem hiding this comment.
i wonder if non default security groups can have these attributes? i guess no, just making sure we're getting it right
There was a problem hiding this comment.
isDefaultSGEgressRule is only checking whether the passed rule is same as auto populated egress rule or not. Non-default security groups can intentionally add this rule, if they need. However, isDefaultSGEgressRule function gets called from hasDefaultEgressRule which gets security group ID of 'default' security group. So, we are never going to touch this rule for non-default security groups.
pkg/resource/vpc/hooks.go
Outdated
| if desired.ko.Spec.DeleteDefaultSecurityGroupRule != nil && *desired.ko.Spec.DeleteDefaultSecurityGroupRule { | ||
| if err = rm.deleteDefaultSecurityGroupRule(ctx, desired); err != nil { | ||
| // if deleteDefaultSecurityGroupRule fails, assume that the rule | ||
| // still exists and update the status accordingly. | ||
| exist := true | ||
| updated.ko.Status.DefaultSecurityGroupRuleExist = &exist | ||
| return nil, err | ||
| } | ||
| exist := false | ||
| updated.ko.Status.DefaultSecurityGroupRuleExist = &exist | ||
| } |
There was a problem hiding this comment.
Do we want to wrap this with if delta.DifferentAt("Spec.DeleteDefaultSecurityGroupRule") ?
test/e2e/tests/test_vpc.py
Outdated
| # Set deleteDefaultSecurityGroupRule to delete default security group | ||
| # rule | ||
| updates = { | ||
| "spec": {"deleteDefaultSecurityGroupRule": True} | ||
| } |
There was a problem hiding this comment.
This feels a little like an imperative call, instead of a declarative approach.. especially when switching back to False is a no-op. Just thinking out-loud, i'm not against this approach.
There was a problem hiding this comment.
My intentions was to test two scenarios.
- In test_delete_default_security_group_rule : set
deleteDefaultSecurityGroupRuletotrueupfront. This testscreatepath - In test_update_delete_default_security_group_rule : set
deleteDefaultSecurityGroupRuletotrueas part of Update. This testsupdatepath
nnbu
force-pushed
the
delDefaultSG
branch
5 times, most recently
from
9b7e4c3 to
b7a60e4
Compare
apis/v1alpha1/generator.yaml
Outdated
| DisallowSecurityGroupDefaultRules: | ||
| type: bool | ||
| is_required: false | ||
| DefaultSecurityGroupRuleExist: |
There was a problem hiding this comment.
| DefaultSecurityGroupRuleExist: | |
| SecurityGroupDefaultRulesExist: |
should this be plural? how about the name change suggestion, wdyt?
There was a problem hiding this comment.
It's really annoying that ideally we'd use the word default twice. As both the SG is the default one for VPC and the rules are the default ones for SG.
There was a problem hiding this comment.
I agree. I have now renamed everything to on the lines of SecurityGroupDefaultRules
|
@nnbu: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: a-hilaly, nnbu, TiberiuGC The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
nnbu
changed the title
…ws-controllers-k8s#212) Issue #, if available: Description of changes: When a VPC is created, it also creates 'default' security group. The 'default' security group has widely open egress rules. We need to have an option to delete this autocreated rules from 'default' security group. The 'default' security group itself can not be deleted. Discussion: https://kubernetes.slack.com/archives/C0402D8JJS1/p1720560499642019 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Issue #, if available:
Description of changes:
When a VPC is created, it also creates 'default' security group. The 'default' security group has widely open egress rules. We need to have an option to delete this autocreated rules from 'default' security group. The 'default' security group itself can not be deleted.
Discussion:
https://kubernetes.slack.com/archives/C0402D8JJS1/p1720560499642019
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.