Add securityGroups field to IngressClassParam

kubernetes-sigs · Jul 8, 2024 · 7ab27cc · 7ab27cc
1 parent e5d625f
commit 7ab27cc
Show file tree

Hide file tree

Showing 7 changed files with 188 additions and 4 deletions.
diff --git a/apis/elbv2/v1beta1/ingressclassparams_types.go b/apis/elbv2/v1beta1/ingressclassparams_types.go
@@ -126,6 +126,10 @@ type IngressClassParamsSpec struct {
 	// LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with this IngressClassParams.
 	// +optional
 	LoadBalancerAttributes []Attribute `json:"loadBalancerAttributes,omitempty"`
+
+	// SecurityGroups defines the security groups for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	SecurityGroups []string `json:"securityGroups,omitempty"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/apis/elbv2/v1beta1/zz_generated.deepcopy.go b/apis/elbv2/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml b/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
@@ -158,6 +158,12 @@ spec:
                 - internal
                 - internet-facing
                 type: string
+              securityGroups:
+                description: SecurityGroups defines the security groups for all Ingresses
+                  that belong to IngressClass with this IngressClassParams.
+                items:
+                  type: string
+                type: array
               sslPolicy:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.

diff --git a/docs/guide/ingress/ingress_class.md b/docs/guide/ingress/ingress_class.md
@@ -140,6 +140,15 @@ You can use IngressClassParams to enforce settings for a set of Ingresses.
     spec:
       certificateArn: ['arn:aws:acm:us-east-1:123456789:certificate/test-arn-1','arn:aws:acm:us-east-1:123456789:certificate/test-arn-2']
     ```
+    - with securityGroups
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+    name: class2048-config
+    spec:
+      securityGroups: ['sg-123','sg-456']
+    ```
 
 ### IngressClassParams specification
 
@@ -213,6 +222,11 @@ Cluster administrators can use `ipAddressType` field to restrict the ipAddressTy
 1. If `ipAddressType` specified, all Ingresses with this IngressClass will have the specified ipAddressType.
 2. If `ipAddressType` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/ip-address-type` annotation to specify ipAddressType.
 
+#### spec.securityGroups
+
+Cluster administrators can use the optional `securityGroups` field to specify the security group to attach to the load balancers that belong to this IngressClass.
+If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/security-groups` annotation.
+
 #### spec.tags
 
 `tags` is an optional setting.

diff --git a/helm/aws-load-balancer-controller/crds/crds.yaml b/helm/aws-load-balancer-controller/crds/crds.yaml
@@ -157,6 +157,12 @@ spec:
                 - internal
                 - internet-facing
                 type: string
+              securityGroups:
+                description: SecurityGroups defines the security groups for all Ingresses
+                  that belong to IngressClass with this IngressClassParams.
+                items:
+                  type: string
+                type: array
               sslPolicy:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.

diff --git a/pkg/ingress/model_build_load_balancer.go b/pkg/ingress/model_build_load_balancer.go
@@ -273,12 +273,12 @@ func (t *defaultModelBuildTask) buildLoadBalancerSubnetMappings(ctx context.Cont
 }
 
 func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Context, listenPortConfigByPort map[int64]listenPortConfig, ipAddressType elbv2model.IPAddressType) ([]core.StringToken, error) {
-	sgNameOrIDsViaAnnotation, err := t.buildFrontendSGNameOrIDsFromAnnotation(ctx)
+	explicitSGNameOrIDs, err := t.buildFrontendSGNameOrIDs(ctx)
 	if err != nil {
 		return nil, err
 	}
 	var lbSGTokens []core.StringToken
-	if len(sgNameOrIDsViaAnnotation) == 0 {
+	if len(explicitSGNameOrIDs) == 0 {
 		managedSG, err := t.buildManagedSecurityGroup(ctx, listenPortConfigByPort, ipAddressType)
 		if err != nil {
 			return nil, err
@@ -301,7 +301,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont
 		if err != nil {
 			return nil, err
 		}
-		frontendSGIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, sgNameOrIDsViaAnnotation)
+		frontendSGIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, explicitSGNameOrIDs)
 		if err != nil {
 			return nil, err
 		}
@@ -326,9 +326,13 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont
 	return lbSGTokens, nil
 }
 
-func (t *defaultModelBuildTask) buildFrontendSGNameOrIDsFromAnnotation(ctx context.Context) ([]string, error) {
+func (t *defaultModelBuildTask) buildFrontendSGNameOrIDs(ctx context.Context) ([]string, error) {
 	var explicitSGNameOrIDsList [][]string
 	for _, member := range t.ingGroup.Members {
+		if member.IngClassConfig.IngClassParams != nil && member.IngClassConfig.IngClassParams.Spec.SecurityGroups != nil {
+			explicitSGNameOrIDsList = append(explicitSGNameOrIDsList, member.IngClassConfig.IngClassParams.Spec.SecurityGroups)
+			continue
+		}
 		var rawSGNameOrIDs []string
 		if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroups, &rawSGNameOrIDs, member.Ing.Annotations); !exists {
 			continue

diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go
@@ -2466,6 +2466,151 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			}
 		}
 	}
+}`,
+		},
+		{
+			name: "Ingress - with SG in IngressClassParams",
+			env: env{
+				svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
+			},
+			fields: fields{
+				resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternalLB},
+				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
+				describeSecurityGroupsResult: []describeSecurityGroupsResult{
+					{
+						securityGroups: []*ec2sdk.SecurityGroup{
+							{
+								GroupId: awssdk.String("sg-manual"),
+							},
+						},
+					},
+				},
+				backendSecurityGroup: "sg-backend",
+				enableBackendSG:      true,
+			},
+			args: args{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										SecurityGroups: []string{"sg-manual"},
+									},
+								},
+							},
+							Ing: &networking.Ingress{
+								ObjectMeta: metav1.ObjectMeta{
+									Namespace: "ns-1",
+									Name:      "ing-1",
+									Annotations: map[string]string{
+										"alb.ingress.kubernetes.io/scheme":      "internet-facing",
+										"alb.ingress.kubernetes.io/target-type": "instance",
+									},
+								},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-3",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_3.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "https",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantStackPatch: `
+{
+	"resources": {
+		"AWS::EC2::SecurityGroup": null,
+		"AWS::ElasticLoadBalancingV2::ListenerRule": {
+			"80:1": {
+				"spec": {
+					"actions": [
+						{
+							"forwardConfig": {
+								"targetGroups": [
+									{
+										"targetGroupARN": {
+											"$ref": "#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/ns-1/ing-1-svc-3:https/status/targetGroupARN"
+										}
+									}
+								]
+							},
+							"type": "forward"
+						}
+					],
+					"conditions": [
+						{
+							"field": "host-header",
+							"hostHeaderConfig": {
+								"values": [
+									"app-2.example.com"
+								]
+							}
+						},
+						{
+							"field": "path-pattern",
+							"pathPatternConfig": {
+								"values": [
+									"/svc-3"
+								]
+							}
+						}
+					]
+				}
+			},
+			"80:2": null,
+			"80:3": null
+		},
+		"AWS::ElasticLoadBalancingV2::LoadBalancer": {
+			"LoadBalancer": {
+				"spec": {
+					"name": "k8s-ns1-ing1-159dd7a143",
+					"scheme": "internet-facing",
+					"securityGroups": [
+						"sg-manual"
+					]
+				}
+			}
+		},
+		"AWS::ElasticLoadBalancingV2::TargetGroup": {
+			"ns-1/ing-1-svc-1:http": null,
+			"ns-1/ing-1-svc-2:http": null
+		},
+		"K8S::ElasticLoadBalancingV2::TargetGroupBinding": {
+			"ns-1/ing-1-svc-1:http": null,
+			"ns-1/ing-1-svc-2:http": null,
+			"ns-1/ing-1-svc-3:https": {
+				"spec": {
+					"template": {
+						"spec": {
+							"networking": null
+						}
+					}
+				}
+			}
+		}
+	}
 }`,
 		},
 		{