Fix security list rules leak #151
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
owainlewis
reviewed
Mar 22, 2018
| err = cp.securityListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, listenerPort, backendPort, healthCheckPort) | ||
| if err != nil { | ||
| // FIXME(apryde): This is inelegant and inefficient. Update() should be refactored | ||
| // to take the old backend port and handle removal of associated rules. |
There was a problem hiding this comment.
Can backends be empty here? If so we'll need a guard against it. Logically this made me a bit uneasy
*action.OldBackendSet.Backends[0].Port
owainlewis
reviewed
Mar 22, 2018
| @@ -436,11 +436,17 @@ func (cp *CloudProvider) updateBackendSet(ctx context.Context, lbOCID string, ac | |||
|
|
|||
| workRequestID, err = cp.client.LoadBalancer().CreateBackendSet(ctx, lbOCID, action.Name(), bs) | |||
| case Update: | |||
| err = cp.securityListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, listenerPort, backendPort, healthCheckPort) | |||
| if err != nil { | |||
| // FIXME(apryde): This is inelegant and inefficient. Update() should be refactored | |||
There was a problem hiding this comment.
Create ticket for this so we can track it.
owainlewis
reviewed
Mar 22, 2018
pkg/oci/load_balancer.go
Outdated
| if action.OldBackendSet != nil && *action.OldBackendSet.Backends[0].Port != backendPort { | ||
| oldBackendPort := *action.OldBackendSet.Backends[0].Port | ||
| if err = cp.securityListManager.Delete(ctx, lbSubnets, nodeSubnets, listenerPort, oldBackendPort, healthCheckPort); err != nil { | ||
| return errors.Wrapf(err, "deleteing security rule for old node port %d", oldBackendPort) |
owainlewis
reviewed
Mar 22, 2018
pkg/oci/load_balancer.go
Outdated
| return errors.Wrapf(err, "deleteing security rule for old node port %d", oldBackendPort) | ||
| } | ||
| } | ||
| if err = cp.securityListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, listenerPort, backendPort, healthCheckPort); err != nil { |
There was a problem hiding this comment.
Might be nice to have a concrete structure here as passing around all these individual values is slightly hard to reason about. Perhaps a SecurityListDesiredState struct or similar?
prydie
force-pushed
the
ap/seclist-rule-leak
branch
from
0aca03c to
d734152
Compare
ayushverma14
pushed a commit
to ayushverma14/oci-cloud-controller-manager
that referenced
this pull request
Jul 18, 2022
* Delete seclist rules based on actual lb state * Fix leak of security list rules on NodePort update * Fix health checker changed logic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #150.