inboud_security_groups

changhyuni · changhyuni · commit 1e579600c229 · 2024-09-02T02:37:46.000+09:00
Add referencing existing security groups for inbound traffic

Add referencing existing security groups for inbound traffic
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24
         ```
+- <a name="inbound-security-groups">`alb.ingress.kubernetes.io/inbound-security-groups`</a> specifies the SecurtityGroups that are allowed to access LoadBalancer.
+
+    !!!note "Merge Behavior"
+        `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port.
+
+        - the `inbound-security-groups` will only impact the ports defined for that Ingress.
+        - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress.
+
+    !!!warning ""
+        this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified.
+
+    !!!tip ""
+        Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2
+        ```
 
 - <a name="security-group-prefix-lists">`alb.ingress.kubernetes.io/security-group-prefix-lists`</a> specifies the managed prefix lists that are allowed to access LoadBalancer.
 
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -23,6 +23,7 @@ const (
 	IngressSuffixListenPorts                  = "listen-ports"
 	IngressSuffixSSLRedirect                  = "ssl-redirect"
 	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
+	IngressSuffixInboundSecurityGroups        = "inbound-security-groups"
 	IngressSuffixCertificateARN               = "certificate-arn"
 	IngressSuffixSSLPolicy                    = "ssl-policy"
 	IngressSuffixTargetType                   = "target-type"
diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go
@@ -107,17 +107,25 @@ type listenPortConfig struct {
 	sslPolicy            *string
 	tlsCerts             []string
 	mutualAuthentication *elbv2model.MutualAuthenticationAttributes
+	securityGroupIDs     []string
 }
 
 func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) {
 	explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
 	explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
 	var prefixListIDs []string
 	t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
+
+	securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
 	if err != nil {
 		return nil, err
 	}
+
 	mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing)
 	if err != nil {
 		return nil, err
@@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 	listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts))
 	for port, protocol := range listenPorts {
 		cfg := listenPortConfig{
-			protocol:       protocol,
-			inboundCIDRv4s: inboundCIDRv4s,
-			inboundCIDRv6s: inboundCIDRV6s,
-			prefixLists:    prefixListIDs,
+			protocol:         protocol,
+			inboundCIDRv4s:   inboundCIDRv4s,
+			inboundCIDRv6s:   inboundCIDRV6s,
+			prefixLists:      prefixListIDs,
+			securityGroupIDs: securityGroupIDs,
 		}
 		if protocol == elbv2model.ProtocolHTTPS {
 			if len(explicitTLSCertARNs) == 0 {
@@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing
 	return portAndProtocols, nil
 }
 
+func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) {
+	var rawSecurityGroups []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists {
+		return nil, nil
+	}
+
+	securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups)
+	if err != nil {
+		return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err)
+	}
+
+	return securityGroupIDs, nil
+}
+
 func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) {
 	var rawInboundCIDRs []string
 	fromIngressClassParams := false
diff --git a/pkg/ingress/model_build_managed_sg.go b/pkg/ingress/model_build_managed_sg.go
@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co
 				},
 			})
 		}
+		for _, sgID := range cfg.securityGroupIDs {
+			permissions = append(permissions, ec2model.IPPermission{
+				IPProtocol: "tcp",
+				FromPort:   awssdk.Int64(port),
+				ToPort:     awssdk.Int64(port),
+				UserIDGroupPairs: []ec2model.UserIDGroupPair{
+					{
+						GroupID: sgID,
+					},
+				},
+			})
+		}
 	}
 	return permissions
 }
diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go
@@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 	var mergedMtlsAttributesProvider *types.NamespacedName
 	var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
 
+	var mergedSecurityGroupProvider *types.NamespacedName
+	mergedSecurityGroups := sets.NewString()
+
 	for _, cfg := range listenPortConfigs {
 		if mergedProtocolProvider == nil {
 			mergedProtocolProvider = &cfg.ingKey
@@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 			}
 		}
 
+		if len(cfg.listenPortConfig.securityGroupIDs) != 0 {
+			cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...)
+			if mergedSecurityGroupProvider == nil {
+				mergedSecurityGroupProvider = &cfg.ingKey
+				mergedSecurityGroups = cfgSecurityGroups
+			} else if !mergedSecurityGroups.Equal(cfgSecurityGroups) {
+				return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v",
+					*mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List())
+			}
+		}
+
 		if cfg.listenPortConfig.sslPolicy != nil {
 			if mergedSSLPolicyProvider == nil {
 				mergedSSLPolicyProvider = &cfg.ingKey
@@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		sslPolicy:            mergedSSLPolicy,
 		tlsCerts:             mergedTLSCerts,
 		mutualAuthentication: mergedMtlsAttributes,
+		securityGroupIDs:     mergedSecurityGroups.List(),
 	}, nil
 }
 
diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go
@@ -3628,6 +3628,146 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			}
 		}
 	}
+}`,
+		},
+		{
+			name: "Ingress - ingress mixed inbound ip address & security groups",
+			env: env{
+				svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
+			},
+			fields: fields{
+				resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternalLB},
+				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
+				describeSecurityGroupsResult: []describeSecurityGroupsResult{
+					{
+						securityGroups: []*ec2sdk.SecurityGroup{
+							{
+								GroupId: awssdk.String("sg-903004f8"),
+							},
+							{
+								GroupId: awssdk.String("sg-903004f1"),
+							},
+						},
+					},
+				},
+				enableBackendSG: true,
+			},
+			args: args{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{
+								ObjectMeta: metav1.ObjectMeta{
+									Namespace: "ns-1",
+									Name:      "ing-1",
+									Annotations: map[string]string{
+										"alb.ingress.kubernetes.io/inbound-cidrs":           "20.45.16.0/26",
+										"alb.ingress.kubernetes.io/inbound-security-groups": "sg-903004f8, sg-903004f1",
+									},
+								},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_1.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+														{
+															Path: "/svc-2",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_2.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-3",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_3.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "https",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantStackPatch: `
+{
+  "resources": {
+    "AWS::EC2::SecurityGroup": {
+      "ManagedLBSecurityGroup": {
+        "spec": {
+          "ingress": [
+            {
+              "fromPort": 80,
+              "ipProtocol": "tcp",
+              "ipRanges": [
+                {
+                  "cidrIP": "20.45.16.0/26"
+                }
+              ],
+              "toPort": 80
+            },
+            {
+              "fromPort": 80,
+              "ipProtocol": "tcp",
+              "toPort": 80,
+              "userIDGroupPairs": [
+                {
+                  "groupID": "sg-903004f1"
+                }
+              ]
+            },
+            {
+              "fromPort": 80,
+              "ipProtocol": "tcp",
+              "toPort": 80,
+              "userIDGroupPairs": [
+                {
+                  "groupID": "sg-903004f8"
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  }
 }`,
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co`
`109`	`109`	`},`
`110`	`110`	`})`
`111`	`111`	`}`
	`112`	`+ for _, sgID := range cfg.securityGroupIDs {`
	`113`	`+ permissions = append(permissions, ec2model.IPPermission{`
	`114`	`+ IPProtocol: "tcp",`
	`115`	`+ FromPort: awssdk.Int64(port),`
	`116`	`+ ToPort: awssdk.Int64(port),`
	`117`	`+ UserIDGroupPairs: []ec2model.UserIDGroupPair{`
	`118`	`+ {`
	`119`	`+ GroupID: sgID,`
	`120`	`+ },`
	`121`	`+ },`
	`122`	`+ })`
	`123`	`+ }`
`112`	`124`	`}`
`113`	`125`	`return permissions`
`114`	`126`	`}`