Document security list management mode annotation (#226)

Author: bdourallawzi

docs/load-balancer-annotations.md

@@ -27,6 +27,7 @@ spec:
 | `oci-load-balancer-subnet1`                 | The OCID of the first [subnet][2] of the two required subnets to attach the load balancer to. Must be in separate Availability Domains.                                                                                                            | Value provided in config file                    |
 | `oci-load-balancer-subnet2`                 | The OCID of the second [subnet][2] of the two required subnets to attach the load balancer to. Must be in separate Availability Domains.                                                                                                           | Value provided in config file                    |
 | `oci-load-balancer-connection-idle-timeout` | The maximum idle time, in seconds, allowed between two successive receive or two successive send operations between the client and backend servers.                                                                                                | `300` for TCP listeners, `60` for HTTP listeners |
+| `oci-load-balancer-security-list-management-mode` | Specifies the [security list mode](##security-list-management-modes) (`"All"`, `"Frontend"`,`"None"`) to configure how security lists are managed by the CCM.                            | `"All"`            
 
 ## TLS-related
 
@@ -35,6 +36,17 @@ spec:
 | `oci-load-balancer-tls-secret` | A reference in the form `<namespace>/<secretName>` to a Kubernetes [TLS secret][3]. | `""` |
 | `oci-load-balancer-ssl-ports` | A `,` separated list of port number(s) for which to enable SSL termination. | `""` |
 
+## Security List Management Modes
+| Mode | Description | 
+| ---- | ----------- | 
+| `"All"` | CCM will manage all required security list rules for load balancer services | 
+| `"Frontend"` | CCM will manage  only security list rules for ingress to the load balancer. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges.  | 
+| `"None`" | Disables all security list management. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges. *Additionally, requires the user to mange rules to allow inbound traffic to load balancers.* | 
+
+Note:
+- If an invalid mode is passed in the annotation, then the default (`"All"`) mode is configured.
+- If an annotation is not specified, the mode specified in the cloud provider config file is configured.  
+
 [1]: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
 [2]: https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/managingVCNs.htm
 [3]: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

examples/nginx-demo-svc-seclist-disabled.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-service
+  annotations:
+    oci-load-balancer-security-list-management-mode: "None"
+spec:
+  selector:
+    app: nginx
+  type: LoadBalancer
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80

pkg/oci/load_balancer_security_lists.go

@@ -406,14 +406,14 @@ func getNodeIngressRules(rules []core.IngressSecurityRule, lbSubnets []*core.Sub
 	if desiredPorts.BackendPort != 0 { // Can happen when there are no backends.
 		for _, cidr := range desiredBackend.List() {
 			rule := makeIngressSecurityRule(cidr, desiredPorts.BackendPort)
-			glog.V(4).Infof("Addding node port ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+			glog.V(4).Infof("Adding node port ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 			ingressRules = append(ingressRules, rule)
 		}
 	}
 	if desiredPorts.HealthCheckerPort != 0 {
 		for _, cidr := range desiredHealthChecker.List() {
 			rule := makeIngressSecurityRule(cidr, desiredPorts.HealthCheckerPort)
-			glog.V(4).Infof("Addding health checker ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+			glog.V(4).Infof("Adding health checker ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 			ingressRules = append(ingressRules, rule)
 		}
 	}
@@ -471,7 +471,7 @@ func getLoadBalancerIngressRules(rules []core.IngressSecurityRule, sourceCIDRs [
 	// so we need to create one for each.
 	for _, cidr := range desired.List() {
 		rule := makeIngressSecurityRule(cidr, port)
-		glog.V(4).Infof("Addding load balancer ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+		glog.V(4).Infof("Adding load balancer ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 		ingressRules = append(ingressRules, rule)
 	}