Bl/adding seclistmode documentation

docs/load-balancer-annotations.md

@@ -27,6 +27,7 @@ spec:
 | `oci-load-balancer-subnet1`                 | The OCID of the first [subnet][2] of the two required subnets to attach the load balancer to. Must be in separate Availability Domains.                                                                                                            | Value provided in config file                    |
 | `oci-load-balancer-subnet2`                 | The OCID of the second [subnet][2] of the two required subnets to attach the load balancer to. Must be in separate Availability Domains.                                                                                                           | Value provided in config file                    |
 | `oci-load-balancer-connection-idle-timeout` | The maximum idle time, in seconds, allowed between two successive receive or two successive send operations between the client and backend servers.                                                                                                | `300` for TCP listeners, `60` for HTTP listeners |
+| `oci-load-balancer-security-list-management-mode` | Specifies the security list mode ("All", "Frontend", "None") to configure how security lists are managed by the CCM                                                                                                                     | `"All"`            
 
 ## TLS-related
 

docs/tutorial-securitylist-manager-mode.md

@@ -0,0 +1,93 @@
+# Tutorial
+
+This example will show you how to use the CCM to create a service 
+as well as explicitly specifying a security list management mode to
+configure how security lists are managed by the CCM.
+
+The possible security list modes:
+"All" (default): Manage all required security list rules for load balancer services.
+"Frontend":      Manage only security list rules for ingress to the load balancer. 
+                 Requires that the user has setup a rule that allows inbound traffic 
+                 to the appropriate ports for kube proxy health port, node port ranges, 
+                 and health check port ranges.
+                 E.g. 10.82.0.0/16 30000-32000.
+"None":          Disables all security list management. Requires that the user has setup 
+                 a rule that allows inbound traffic to the
+                 appropriate ports for kube proxy health port, node port ranges, 
+                 and health check port ranges. 
+                 E.g. 10.82.0.0/16 30000-32000.
+                 Additionally, requires the user to mange rules to allow inbound traffic to load balancers.
+
+Note:
+- If an invalid mode is passed in the annotation, then the default ("All") mode is configured.
+- If an annotation is not specified, the mode specified in the cloud provider config file is configured.
+
+### Load balancer example
+
+When you create a service with `type: LoadBalancer` an OCI load balancer will
+be created.
+
+The example below will create an NGINX deployment, expose it via a load
+balancer and disables all security list management. 
+Note: 
+- The service **type** is set to **LoadBalancer**.
+- The annotation must follow the [following format][1] **oci-load-balancer-security-list-management-mode**, 
+and declared as `"All"`, `"Frontend"`, `"None"`.
+
+```yaml
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-service
+  annotations:
+    oci-load-balancer-security-list-management-mode: "None"
+spec:
+  selector:
+    app: nginx
+  type: LoadBalancer
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+```
+Create it
+
+```bash
+$ kubectl create -f examples/nginx-demo-seclist-disabled.yaml
+```
+
+Watch the service and await a public IP address. This will be the load balancer
+IP which you can use to connect to your service.
+
+```bash
+$ kubectl get svc --watch
+NAME            CLUSTER-IP     EXTERNAL-IP      PORT(S)        AGE
+nginx-service   10.96.97.137   129.213.12.174   80:30274/TCP   5m
+```
+
+You can now access your service via the provisioned load balancer
+
+```bash
+$ curl -i http://129.213.12.174
+```
+
+
+[1]: https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md

examples/nginx-demo-svc-seclist-disabled.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-service
+  annotations:
+    oci-load-balancer-security-list-management-mode: "None"
+spec:
+  selector:
+    app: nginx
+  type: LoadBalancer
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80

pkg/oci/load_balancer_security_lists.go

@@ -406,14 +406,14 @@ func getNodeIngressRules(rules []core.IngressSecurityRule, lbSubnets []*core.Sub
 	if desiredPorts.BackendPort != 0 { // Can happen when there are no backends.
 		for _, cidr := range desiredBackend.List() {
 			rule := makeIngressSecurityRule(cidr, desiredPorts.BackendPort)
-			glog.V(4).Infof("Addding node port ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+			glog.V(4).Infof("Adding node port ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 			ingressRules = append(ingressRules, rule)
 		}
 	}
 	if desiredPorts.HealthCheckerPort != 0 {
 		for _, cidr := range desiredHealthChecker.List() {
 			rule := makeIngressSecurityRule(cidr, desiredPorts.HealthCheckerPort)
-			glog.V(4).Infof("Addding health checker ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+			glog.V(4).Infof("Adding health checker ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 			ingressRules = append(ingressRules, rule)
 		}
 	}
@@ -471,7 +471,7 @@ func getLoadBalancerIngressRules(rules []core.IngressSecurityRule, sourceCIDRs [
 	// so we need to create one for each.
 	for _, cidr := range desired.List() {
 		rule := makeIngressSecurityRule(cidr, port)
-		glog.V(4).Infof("Addding load balancer ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
+		glog.V(4).Infof("Adding load balancer ingress security rule %q %d-%d", *rule.Source, *rule.TcpOptions.DestinationPortRange.Min, *rule.TcpOptions.DestinationPortRange.Max)
 		ingressRules = append(ingressRules, rule)
 	}