Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional subnet configuration options for AWS ELB #97431

Merged
merged 1 commit into from
Feb 10, 2021
Merged

Additional subnet configuration options for AWS ELB #97431

merged 1 commit into from
Feb 10, 2021

Conversation

kishorj
Copy link
Contributor

@kishorj kishorj commented Dec 21, 2020
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:
This fix fulfills the security requirements of choosing specific set of subnets per load balancer on the same cluster.

We need this PR to support the following use-cases-

  • Ability to choose different or specific set of subnets per LB to fulfil security requirements. This will be supported via annotation.
  • Simplify VPC setup requirements since cluster name is no longer required on the tag key for subnet resources. This also helps easily provision k8s on an existing VPC setup.

Prior to this change, the AWS cloudprovider would auto discover subnets only with the cluster tags when provisioning NLB/CLB for service resources. We want to modify this behavior to include the subnets without any cluster tags, in addition to the ones previously matched by auto-discovery. After the changes, the auto-discovery will consider all subnets except the ones tagged explicitly for other cluster. If there are multiple subnets per AZ, the ties are broken in the following order

  • prefer the subnet with the correct role tag. kubernetes.io/role/elb for public and kubernetes.io/role/internal-elb for private access
  • prefer the subnet with the cluster tag kubernetes.io/cluster/<Cluster Name>
  • prefer the subnet that is first in lexicographic order

This PR also introduces an additional annotation to manually configure the subnets.

service.beta.kubernetes.io/aws-load-balancer-subnets: <CSV List of subnet IDs or names>

The default behavior is to auto-discover the subnets. The annotation is a comma separated list of subnet IDs or the Name tag of the subnets. The subnets specified on this annotation must exist on the same VPC and must be from different AZs.

For NLB, due to current limitations, subnet configuration is applied during load balancer creation only.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:
Verified the following on a kops cluster -

  • subnets with the appropriate cluster tag continue to get auto-discovered
  • subnets without any cluster tag also gets auto-discovered
  • subnets with cluster tag not matching the current cluster is not used
  • in case there are multiple subnets on an AZ, role tag takes precedence over cluster tag, cluster tag over lexicographic order of subnets
  • subnets annotation support both subnet IDs and names
  • subnets annotation override auto-discovery. For NLB, the specified subnets are used during LB creation
  • for CLB, subnets annotation can be edited and the changes get reflected on the load balancer during the next reconcile
  • when nonexistent subnets were specified in the annotation, service-controller threw an error. Once the annotation got edited, lb got reconciled successfully
  • when multiple subnets from the same AZ were specified in the annotation, got InvalidConfigurationRequest from ELB api

Does this PR introduce a user-facing change?:

AWS cloudprovider supports auto-discovering subnets without any kubernetes.io/cluster/<clusterName> tags. It also supports additional service annotation service.beta.kubernetes.io/aws-load-balancer-subnets to manually configure the subnets.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 21, 2020
@k8s-ci-robot
Copy link
Contributor

@kishorj: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

Hi @kishorj. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 21, 2020
@k8s-ci-robot k8s-ci-robot added area/cloudprovider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 21, 2020
@M00nF1sh
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 21, 2020
@kishorj
Copy link
Contributor Author

kishorj commented Dec 22, 2020

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 22, 2020
@kishorj kishorj changed the title Support subnets without cluster tag for auto-discovery Additional subnet configuration for AWS ELB Dec 22, 2020
@kishorj kishorj changed the title Additional subnet configuration for AWS ELB Additional subnet configuration options for AWS ELB Dec 22, 2020
M00nF1sh
M00nF1sh reviewed Dec 22, 2020
View reviewed changes
Copy link
Contributor

@M00nF1sh M00nF1sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to support this for ELB as well?
have we tested the annotation works with kops cluster?

M00nF1sh
M00nF1sh reviewed Dec 22, 2020
View reviewed changes
Copy link
Contributor

@M00nF1sh M00nF1sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 22, 2020
@andrewsykim
Copy link
Member

The default behavior can lead to insecure configurations since when there are multiple subnets tagged within a AZ, it chose one based on lexical order of subnetID and there is no way to override it.

I'm fine with this PR, given it improves security and avoids insecure configurations. Left a few comments.

@kishorj
additional subnet configuration for AWS ELB
778e97d 
* support subnets without cluster tag for auto-discovery
* add support for manual subnet configuration via service annotation
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 22, 2021
andrewsykim
andrewsykim reviewed Feb 8, 2021
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question, lgtm otherwise

staging/src/k8s.io/legacy-cloud-providers/aws/tags.go Show resolved Hide resolved
@andrewsykim
Copy link
Member

/approve

Will leave lgtm for @nckturner or @M00nF1sh

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, kishorj, M00nF1sh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2021
@M00nF1sh
Copy link
Contributor

M00nF1sh commented Feb 9, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2021
@kishorj
Copy link
Contributor Author

kishorj commented Feb 9, 2021

/retest

1 similar comment
@kishorj
Copy link
Contributor Author

kishorj commented Feb 10, 2021

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

3 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit f48972e into kubernetes:master Feb 10, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Feb 10, 2021
@kishorj kishorj mentioned this pull request Feb 22, 2021
Closed
This was referenced Mar 19, 2021
Merged
Merged
@kishorj kishorj deleted the aws-subnet-tagging-update branch March 19, 2021 22:40
k8s-ci-robot added a commit that referenced this pull request Apr 8, 2021
@k8s-ci-robot
Merge pull request #100416 from kishorj/automated-cherry-pick-of-#974…
6b1f5f1 
…31-upstream-release-1.19

Automated cherry pick of #97431: additional subnet configuration for AWS ELB
k8s-ci-robot added a commit that referenced this pull request Apr 8, 2021
@k8s-ci-robot
Merge pull request #100414 from kishorj/automated-cherry-pick-of-#974…
2ac4f20 
…31-upstream-release-1.20

Automated cherry pick of #97431: additional subnet configuration for AWS ELB
rjosephwright added a commit to cloudboss/keights that referenced this pull request Apr 10, 2021
@rjosephwright
Update README and example variables regarding subnet tags
187d535 
In Kubernetes v1.21, tagging subnets is not required to create load
balancers. Keights will still support tagging them. See
kubernetes/kubernetes#97431.
rjosephwright added a commit to cloudboss/keights that referenced this pull request Apr 11, 2021
@rjosephwright
Update README and example variables regarding subnet tags
6f223e2 
In Kubernetes v1.21, tagging subnets is not required to create load
balancers. Keights will still support tagging them. See
kubernetes/kubernetes#97431.
This was referenced May 1, 2021
Closed
Merged
@Miciah
Copy link
Contributor

Miciah commented Dec 21, 2021

subnets without any cluster tag also gets auto-discovered

This is a breaking change for users who do have untagged subnets, don't want the cloud provider to use those untagged subnets, and upgrade to a version of Kubernetes with this change. Should this be behind a feature gate?

@gcs278 gcs278 mentioned this pull request Oct 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@M00nF1sh M00nF1sh M00nF1sh left review comments

@andrewsykim andrewsykim andrewsykim left review comments

@chrislovecnm chrislovecnm Awaiting requested review from chrislovecnm

@jsafrane jsafrane Awaiting requested review from jsafrane

Assignees

@cheftako cheftako

@andrewsykim andrewsykim

@M00nF1sh M00nF1sh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
7 participants
@kishorj @k8s-ci-robot @M00nF1sh @andrewsykim @fejta-bot @Miciah @cheftako