From e4a014198b895cd022b5adb7cae2946e4a2d3158 Mon Sep 17 00:00:00 2001 From: Marco Braga Date: Mon, 2 Jun 2025 16:57:39 -0300 Subject: [PATCH 1/3] tmp/DNM: validating NLB+SG config Bumping cloud-provider-aws are crashing, focusing in the change for now to be able to validate with cluster-bot. --- .../cloud-provider-aws/pkg/providers/v1/config/config.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go index efae450ed..98ee44c0b 100644 --- a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go +++ b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go @@ -19,6 +19,9 @@ const ( ClusterServiceLoadBalancerHealthProbeModeServiceNodePort = "ServiceNodePort" ) +// NLBSecurityGroupEnabled indicates whether the service loadbalancer type NLB is created with a Security Group. +type NLBSecurityGroupEnabled bool + // CloudConfig wraps the settings for the AWS cloud provider. // NOTE: Cloud config files should follow the same Kubernetes deprecation policy as // flags or CLIs. Config fields should not change behavior in incompatible ways and @@ -83,6 +86,10 @@ type CloudConfig struct { // ClusterServiceSharedLoadBalancerHealthProbePath defines the target path of the shared health probe. Default to `/healthz`. ClusterServiceSharedLoadBalancerHealthProbePath string `json:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty" yaml:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty"` + + // NLBSecurityGroupEnabled determines if the service type loadbalancer NLB creates and manages + // the resource with a security group (default behavior Classic Load Balancer). + NLBSecurityGroupEnabled NLBSecurityGroupEnabled `json:"nlbSecurityGroupEnabled,omitempty" yaml:"nlbSecurityGroupEnabled,omitempty"` } // [ServiceOverride "1"] // Service = s3 From b57eff83c96b9d9391f9dd1900cf8f99fb73a2d1 Mon Sep 17 00:00:00 2001 From: Marco Braga Date: Tue, 3 Jun 2025 14:21:23 -0300 Subject: [PATCH 2/3] removing custom type --- .../cloud-provider-aws/pkg/providers/v1/config/config.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go index 98ee44c0b..706fb5a31 100644 --- a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go +++ b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go @@ -19,9 +19,6 @@ const ( ClusterServiceLoadBalancerHealthProbeModeServiceNodePort = "ServiceNodePort" ) -// NLBSecurityGroupEnabled indicates whether the service loadbalancer type NLB is created with a Security Group. -type NLBSecurityGroupEnabled bool - // CloudConfig wraps the settings for the AWS cloud provider. // NOTE: Cloud config files should follow the same Kubernetes deprecation policy as // flags or CLIs. Config fields should not change behavior in incompatible ways and @@ -88,8 +85,8 @@ type CloudConfig struct { ClusterServiceSharedLoadBalancerHealthProbePath string `json:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty" yaml:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty"` // NLBSecurityGroupEnabled determines if the service type loadbalancer NLB creates and manages - // the resource with a security group (default behavior Classic Load Balancer). - NLBSecurityGroupEnabled NLBSecurityGroupEnabled `json:"nlbSecurityGroupEnabled,omitempty" yaml:"nlbSecurityGroupEnabled,omitempty"` + // the resource with a security group (similar default behavior Classic Load Balancer). + NLBSecurityGroupEnabled bool `json:"nlbSecurityGroupEnabled,omitempty" yaml:"nlbSecurityGroupEnabled,omitempty"` } // [ServiceOverride "1"] // Service = s3 From c288fe6f6fed898930df58e01aa2e4ae03edb8fa Mon Sep 17 00:00:00 2001 From: Marco Braga Date: Tue, 3 Jun 2025 15:41:08 -0300 Subject: [PATCH 3/3] enforcing config type to managed --- pkg/cloud/aws/aws_config_transformer.go | 5 +++++ .../pkg/providers/v1/config/config.go | 12 +++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/pkg/cloud/aws/aws_config_transformer.go b/pkg/cloud/aws/aws_config_transformer.go index 2caf36ff9..953229a01 100644 --- a/pkg/cloud/aws/aws_config_transformer.go +++ b/pkg/cloud/aws/aws_config_transformer.go @@ -83,4 +83,9 @@ func setOpenShiftDefaults(cfg *awsconfig.CloudConfig) { // health check endpoint served by OVN. cfg.Global.ClusterServiceLoadBalancerHealthProbeMode = "Shared" } + if cfg.Global.NLBSecurityGroupMode != awsconfig.NLBSecurityGroupModeManaged { + // OpenShift enforces security group by default when deploying + // service type loadbalancer NLB. + cfg.Global.NLBSecurityGroupMode = awsconfig.NLBSecurityGroupModeManaged + } } diff --git a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go index 706fb5a31..5873c62da 100644 --- a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go +++ b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go @@ -17,6 +17,12 @@ const ( // ClusterServiceLoadBalancerHealthProbeModeServiceNodePort is the service node port health probe mode for cluster service load balancer. ClusterServiceLoadBalancerHealthProbeModeServiceNodePort = "ServiceNodePort" + + // NLBSecurityGroupModeManaged indicates the controller is managing security groups on service type loadbalancer NLB. + NLBSecurityGroupModeManaged = "Managed" + + // NLBSecurityGroupModeUnmanaged indicates the controller is not managing security groups on service type loadbalancer NLB. + NLBSecurityGroupModeUnmanaged = "Unmanaged" ) // CloudConfig wraps the settings for the AWS cloud provider. @@ -84,9 +90,9 @@ type CloudConfig struct { // ClusterServiceSharedLoadBalancerHealthProbePath defines the target path of the shared health probe. Default to `/healthz`. ClusterServiceSharedLoadBalancerHealthProbePath string `json:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty" yaml:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty"` - // NLBSecurityGroupEnabled determines if the service type loadbalancer NLB creates and manages - // the resource with a security group (similar default behavior Classic Load Balancer). - NLBSecurityGroupEnabled bool `json:"nlbSecurityGroupEnabled,omitempty" yaml:"nlbSecurityGroupEnabled,omitempty"` + // NLBSecurityGroupMode determines if the controller manage, creates and attaches, the security group when the service type + // loadbalancer NLB is created. + NLBSecurityGroupMode string `json:"nlbSecurityGroupMode,omitempty" yaml:"nlbSecurityGroupMode,omitempty"` } // [ServiceOverride "1"] // Service = s3