[feat: gw api] Security Group discovery and management

apis/gateway/v1beta1/loadbalancerconfig_types.go

@@ -44,8 +44,8 @@ type ListenerAttribute struct {
 	Value string `json:"value"`
 }
 
-// Tag defines a AWS Tag on resources.
-type LoadBalancerTag struct {
+// AWSTag defines a AWS Tag on resources.
+type AWSTag struct {
 	// The key of the tag.
 	Key string `json:"key"`
 
@@ -183,10 +183,16 @@ type LoadBalancerConfigurationSpec struct {
 	// +optional
 	EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic *string `json:"enforceSecurityGroupInboundRulesOnPrivateLinkTraffic,omitempty"`
 
-	// customerOwnedIpv4Pool is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
+	// customerOwnedIpv4Pool [Application LoadBalancer]
+	// is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
 	// +optional
 	CustomerOwnedIpv4Pool *string `json:"customerOwnedIpv4Pool,omitempty"`
 
+	// IPv4IPAMPoolId [Application LoadBalancer]
+	// defines the IPAM pool ID used for IPv4 Addresses on the ALB.
+	// +optional
+	IPv4IPAMPoolId *string `json:"ipv4IPAMPoolId,omitempty"`
+
 	// loadBalancerSubnets is an optional list of subnet configurations to be used in the LB
 	// This value takes precedence over loadBalancerSubnetsSelector if both are selected.
 	// +optional
@@ -224,7 +230,19 @@ type LoadBalancerConfigurationSpec struct {
 
 	// Tags defines list of Tags on LB.
 	// +optional
-	Tags []LoadBalancerTag `json:"tags,omitempty"`
+	Tags []AWSTag `json:"tags,omitempty"`
+
+	// EnableICMP [Network LoadBalancer]
+	// enables the creation of security group rules to the managed security group
+	// to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs
+	// +optional
+	EnableICMP bool `json:"enableICMP,omitempty"`
+
+	// ManageBackendSecurityGroupRules [Application / Network LoadBalancer]
+	// specifies whether you want the controller to configure security group rules on Node/Pod for traffic access
+	// when you specify securityGroups
+	// +optional
+	ManageBackendSecurityGroupRules bool `json:"manageBackendSecurityGroupRules,omitempty"`
 }
 
 // TODO -- these can be used to set what generation the gateway is currently on to track progress on reconcile.

config/crd/gateway/gateway-crds.yaml

@@ -45,9 +45,16 @@ spec:
               LoadBalancerConfiguration
             properties:
               customerOwnedIpv4Pool:
-                description: customerOwnedIpv4Pool is the ID of the customer-owned
-                  address for Application Load Balancers on Outposts pool.
+                description: |-
+                  customerOwnedIpv4Pool [Application LoadBalancer]
+                  is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
                 type: string
+              enableICMP:
+                description: |-
+                  EnableICMP [Network LoadBalancer]
+                  enables the creation of security group rules to the managed security group
+                  to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs
+                type: boolean
               enforceSecurityGroupInboundRulesOnPrivateLinkTraffic:
                 description: enforceSecurityGroupInboundRulesOnPrivateLinkTraffic
                   Indicates whether to evaluate inbound security group rules for traffic
@@ -61,6 +68,11 @@ spec:
                 - dualstack
                 - dualstack-without-public-ipv4
                 type: string
+              ipv4IPAMPoolId:
+                description: |-
+                  IPv4IPAMPoolId [Application LoadBalancer]
+                  defines the IPAM pool ID used for IPv4 Addresses on the ALB.
+                type: string
               listenerConfigurations:
                 description: listenerConfigurations is an optional list of configurations
                   for each listener on LB
@@ -212,6 +224,12 @@ spec:
                   tag specified in the map key contains one of the values in the corresponding
                   value list.
                 type: object
+              manageBackendSecurityGroupRules:
+                description: |-
+                  ManageBackendSecurityGroupRules [Application / Network LoadBalancer]
+                  specifies whether you want the controller to configure security group rules on Node/Pod for traffic access
+                  when you specify securityGroups
+                type: boolean
               scheme:
                 description: scheme defines the type of LB to provision. If unspecified,
                   it will be automatically inferred.
@@ -240,7 +258,7 @@ spec:
               tags:
                 description: Tags defines list of Tags on LB.
                 items:
-                  description: Tag defines a AWS Tag on resources.
+                  description: AWSTag defines a AWS Tag on resources.
                   properties:
                     key:
                       description: The key of the tag.

config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml

@@ -46,9 +46,16 @@ spec:
               LoadBalancerConfiguration
             properties:
               customerOwnedIpv4Pool:
-                description: customerOwnedIpv4Pool is the ID of the customer-owned
-                  address for Application Load Balancers on Outposts pool.
+                description: |-
+                  customerOwnedIpv4Pool [Application LoadBalancer]
+                  is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
                 type: string
+              enableICMP:
+                description: |-
+                  EnableICMP [Network LoadBalancer]
+                  enables the creation of security group rules to the managed security group
+                  to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs
+                type: boolean
               enforceSecurityGroupInboundRulesOnPrivateLinkTraffic:
                 description: enforceSecurityGroupInboundRulesOnPrivateLinkTraffic
                   Indicates whether to evaluate inbound security group rules for traffic
@@ -62,6 +69,11 @@ spec:
                 - dualstack
                 - dualstack-without-public-ipv4
                 type: string
+              ipv4IPAMPoolId:
+                description: |-
+                  IPv4IPAMPoolId [Application LoadBalancer]
+                  defines the IPAM pool ID used for IPv4 Addresses on the ALB.
+                type: string
               listenerConfigurations:
                 description: listenerConfigurations is an optional list of configurations
                   for each listener on LB
@@ -213,6 +225,12 @@ spec:
                   tag specified in the map key contains one of the values in the corresponding
                   value list.
                 type: object
+              manageBackendSecurityGroupRules:
+                description: |-
+                  ManageBackendSecurityGroupRules [Application / Network LoadBalancer]
+                  specifies whether you want the controller to configure security group rules on Node/Pod for traffic access
+                  when you specify securityGroups
+                type: boolean
               scheme:
                 description: scheme defines the type of LB to provision. If unspecified,
                   it will be automatically inferred.
@@ -241,7 +259,7 @@ spec:
               tags:
                 description: Tags defines list of Tags on LB.
                 items:
-                  description: Tag defines a AWS Tag on resources.
+                  description: AWSTag defines a AWS Tag on resources.
                   properties:
                     key:
                       description: The key of the tag.

controllers/gateway/gateway_controller.go

@@ -26,6 +26,7 @@ import (
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/runtime"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -46,19 +47,19 @@ var _ Reconciler = &gatewayReconciler{}
 
 // NewNLBGatewayReconciler constructs a gateway reconciler to handle specifically for NLB gateways
 func NewNLBGatewayReconciler(routeLoader routeutils.Loader, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileCounters *metricsutil.ReconcileCounters) Reconciler {
-	return newGatewayReconciler(constants.NLBGatewayController, elbv2model.LoadBalancerTypeNetwork, controllerConfig.NLBGatewayMaxConcurrentReconciles, constants.NLBGatewayTagPrefix, constants.NLBGatewayFinalizer, routeLoader, routeutils.L4RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementNLBGateway)
+	return newGatewayReconciler(constants.NLBGatewayController, elbv2model.LoadBalancerTypeNetwork, controllerConfig.NLBGatewayMaxConcurrentReconciles, constants.NLBGatewayTagPrefix, shared_constants.NLBGatewayFinalizer, routeLoader, routeutils.L4RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementNLBGateway)
 }
 
 // NewALBGatewayReconciler constructs a gateway reconciler to handle specifically for ALB gateways
 func NewALBGatewayReconciler(routeLoader routeutils.Loader, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileCounters *metricsutil.ReconcileCounters) Reconciler {
-	return newGatewayReconciler(constants.ALBGatewayController, elbv2model.LoadBalancerTypeApplication, controllerConfig.ALBGatewayMaxConcurrentReconciles, constants.ALBGatewayTagPrefix, constants.ALBGatewayFinalizer, routeLoader, routeutils.L7RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementALBGateway)
+	return newGatewayReconciler(constants.ALBGatewayController, elbv2model.LoadBalancerTypeApplication, controllerConfig.ALBGatewayMaxConcurrentReconciles, constants.ALBGatewayTagPrefix, shared_constants.ALBGatewayFinalizer, routeLoader, routeutils.L7RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementALBGateway)
 }
 
 // newGatewayReconciler constructs a reconciler that responds to gateway object changes
 func newGatewayReconciler(controllerName string, lbType elbv2model.LoadBalancerType, maxConcurrentReconciles int, gatewayTagPrefix string, finalizer string, routeLoader routeutils.Loader, routeFilter routeutils.LoadRouteFilter, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileTracker func(namespaceName types.NamespacedName)) Reconciler {
 
 	trackingProvider := tracking.NewDefaultProvider(gatewayTagPrefix, controllerConfig.ClusterName)
-	modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
+	modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, controllerConfig, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
 
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName)

controllers/service/service_controller.go

@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -33,7 +34,6 @@ import (
 )
 
 const (
-	serviceFinalizer        = "service.k8s.aws/resources"
 	serviceTagPrefix        = "service.k8s.aws"
 	serviceAnnotationPrefix = "service.beta.kubernetes.io"
 	controllerName          = "service"
@@ -47,7 +47,7 @@ func NewServiceReconciler(cloud services.Cloud, k8sClient client.Client, eventRe
 
 	annotationParser := annotations.NewSuffixAnnotationParser(serviceAnnotationPrefix)
 	trackingProvider := tracking.NewDefaultProvider(serviceTagPrefix, controllerConfig.ClusterName)
-	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
+	serviceUtils := service.NewServiceUtils(annotationParser, shared_constants.ServiceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
 		elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
 		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
@@ -170,7 +170,7 @@ func (r *serviceReconciler) reconcileLoadBalancerResources(ctx context.Context,
 
 	var err error
 	addFinalizersFn := func() {
-		err = r.finalizerManager.AddFinalizers(ctx, svc, serviceFinalizer)
+		err = r.finalizerManager.AddFinalizers(ctx, svc, shared_constants.ServiceFinalizer)
 	}
 	r.metricsCollector.ObserveControllerReconcileLatency(controllerName, "add_finalizers", addFinalizersFn)
 	if err != nil {
@@ -214,7 +214,7 @@ func (r *serviceReconciler) reconcileLoadBalancerResources(ctx context.Context,
 }
 
 func (r *serviceReconciler) cleanupLoadBalancerResources(ctx context.Context, svc *corev1.Service, stack core.Stack) error {
-	if k8s.HasFinalizer(svc, serviceFinalizer) {
+	if k8s.HasFinalizer(svc, shared_constants.ServiceFinalizer) {
 		err := r.deployModel(ctx, svc, stack)
 		if err != nil {
 			return err
@@ -226,7 +226,7 @@ func (r *serviceReconciler) cleanupLoadBalancerResources(ctx context.Context, sv
 			r.eventRecorder.Event(svc, corev1.EventTypeWarning, k8s.ServiceEventReasonFailedCleanupStatus, fmt.Sprintf("Failed update status due to %v", err))
 			return err
 		}
-		if err := r.finalizerManager.RemoveFinalizers(ctx, svc, serviceFinalizer); err != nil {
+		if err := r.finalizerManager.RemoveFinalizers(ctx, svc, shared_constants.ServiceFinalizer); err != nil {
 			r.eventRecorder.Event(svc, corev1.EventTypeWarning, k8s.ServiceEventReasonFailedRemoveFinalizer, fmt.Sprintf("Failed remove finalizer due to %v", err))
 			return err
 		}