-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecurityGroup groupName
setting from UserIdGroupPair spec not working as expected
#2058
Comments
Closes aws-controllers-k8s/community#2068, aws-controllers-k8s/community#2061, and aws-controllers-k8s/community#2058 The EC2 API for setting ingress/egress rules has many special restrictions, making its behavior hard to predict. For example, `GroupName` should only be used with default VPCs. When using non default VPCs users should use `GroupID` instead To address this problem, we are introducing a defaulting mechanism to help the controller infer and use the correct `GroupID` when a user doesnt provide one. You might wonder why all the trouble, and why not just use ACK resource references? Well.. this is necessary because ACK resource references cannot do self references, making fully declarative egress/ingress rule definition impossible in some cases. Changes: - Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level) - Default `UserIDGroupPairs.GroupID` to the parent security group ID - Default `UserIDGroupPairs.VPCID` to the VPC of the parent security group - Add more e2e tests for `UserIDGroupPairs` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Should be fixed in https://github.com/aws-controllers-k8s/ec2-controller/releases/tag/v1.2.9 |
@a-hilaly: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…s-controllers-k8s#194) Closes aws-controllers-k8s/community#2068, aws-controllers-k8s/community#2061, and aws-controllers-k8s/community#2058 The EC2 API for setting ingress/egress rules has many special restrictions, making its behavior hard to predict. For example, `GroupName` should only be used with default VPCs. When using non default VPCs users should use `GroupID` instead To address this problem, we are introducing a defaulting mechanism to help the controller infer and use the correct `GroupID` when a user doesnt provide one. You might wonder why all the trouble, and why not just use ACK resource references? Well.. this is necessary because ACK resource references cannot do self references, making fully declarative egress/ingress rule definition impossible in some cases. Changes: - Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level) - Default `UserIDGroupPairs.GroupID` to the parent security group ID - Default `UserIDGroupPairs.VPCID` to the VPC of the parent security group - Add more e2e tests for `UserIDGroupPairs` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Describe the bug
We are creating/grouping multiple SecurityGroups ACK objects into a single helm chart, along with other ACK objects (VPC, Subnets, etc). Some of these SGs need to be referenced in other SGs that are part of the same chart. Based on https://aws-controllers-k8s.github.io/community/reference/ec2/v1alpha1/securitygroup/ there are few options via
userIDGroupPairs
when a SG needs to be referenced in another SG:groupID
orgroupName
. Given the SG ID is not known beforehand the only option left in this case isgroupName
. During our testing we found out that this option doesn't work as expected and we started getting errors like:or
Steps to reproduce
Create a security group object like:
Check the status of the newly created object:
Expected outcome
Security group should be created without issues.
If VPC ID is not specified inside the
userIDGroupPairs
, use the one referenced via thevpcRef
setting.Other options might include adding support for
securitygroupref
or vpcRef settings inside theuserIDGroupPairs
.Environment
The text was updated successfully, but these errors were encountered: