Fix leak managed/owned security group on Service update with BYO SG #1209
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @mtulio. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
mtulio
changed the title
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
03f9775 to
83c92f2
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
83c92f2 to
23ba0b3
Compare
|
/test all |
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
23ba0b3 to
0fec46d
Compare
|
Fixing doc strings and failed unit tests from previous unexpected behavior: /test all |
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
0fec46d to
1907542
Compare
|
/test pull-cloud-provider-aws-e2e-kubetest2 |
|
/test all |
|
I can't find connection between failures in pull-cloud-provider-aws-e2e-kubetest2 and existing changes. I am going to convert to regular PR to ask for reviewers while we observe if this isnt a CI flake. PTAL? |
|
/test pull-cloud-provider-aws-e2e |
Introduce unit tests for functions added to validate Service update to BYO Security Group annotations from a managed SG state.
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
1adf385 to
6af2646
Compare
|
/test pull-cloud-provider-aws-e2e |
|
unrelated failure in the lb-internal tests which expects to fail (hairpinning). Checking if it was flake: /test pull-cloud-provider-aws-e2e |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Review comments addressed, new e2e added and e2e passing on CI. This PR is ready for review. PTAL? Thanks |
|
e2e test Investigating if the failure converting to draft while increasing debug on internal test of CLB, looks like it's failing to retrieve pod information, checking if this is related to the service account. Once I get more information and isolate the issue I will return to ready. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
6af2646 to
edd4a11
Compare
|
/test pull-cloud-provider-aws-e2e |
Checking if I need to enhance the controller update the sg: /test pull-cloud-provider-aws-e2e |
Introduce BYO Security Group(SG) update scenario to Service CLB to validate SG leak when user has created a Service CLB with default SG and eventually updated to a user-provided. kubernetes#1208
mtulio
force-pushed
the
fix-1208-byosg-update
branch
from
edd4a11 to
f0b38b6
Compare
|
increase verbosity /test pull-cloud-provider-aws-e2e |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
e2e job green. I am also leaving the e2e more verbose in case of test network failures, helping devs troubleshooting easier CI logs of internal connectivity / internal LB. LMK if that makes sense. Converting to regular PR. PTAL? Thanks |
|
@mtulio: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
Converting to draft while I return on it to rebase and run deepen investigation on e2e failures. |
|
FWIW interim update, this PR is still alive and need to be fixed, and proposal could be used in the logic of BYOSG in NLBs. I am planning to return on it next week to rebase and ask for final review with recent updates in the Service NLB and e2e. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR fixes a leaked security group (SG) when a Service type-loadBalancer (CLB) is updated adding the BYO SG annotation (
service.beta.kubernetes.io/aws-load-balancer-security-groups), which replaces all SG added to the Load Balancer without removing rules and deleting it when created by controller.Which issue(s) this PR fixes:
Fixes #1208
Special notes for your reviewer:
The approach of creating isolated function was used specially to:
The unit tests and documentation(function) comments have been assisted by Cursor AI(model claude-4-sonet): AIA HAb SeCeNc Hin R v1.0
Does this PR introduce a user-facing change?: