-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecurityGroups] Cannot create security group when referencing itself inside a security group rule #2061
Comments
@adriananeci ReferenceResolver expects the referenced resource to be fully synced before being able to use it's values, this creates a sort of circular dependency. There are two options here:
|
@adriananeci v1.2.9 will include a fix. Instead of using a self reference, you can just leave the field empty, the controller will automatically infer the GroupID/VPCID from the SecurityGroup specification. |
Closes aws-controllers-k8s/community#2068, aws-controllers-k8s/community#2061, and aws-controllers-k8s/community#2058 The EC2 API for setting ingress/egress rules has many special restrictions, making its behavior hard to predict. For example, `GroupName` should only be used with default VPCs. When using non default VPCs users should use `GroupID` instead To address this problem, we are introducing a defaulting mechanism to help the controller infer and use the correct `GroupID` when a user doesnt provide one. You might wonder why all the trouble, and why not just use ACK resource references? Well.. this is necessary because ACK resource references cannot do self references, making fully declarative egress/ingress rule definition impossible in some cases. Changes: - Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level) - Default `UserIDGroupPairs.GroupID` to the parent security group ID - Default `UserIDGroupPairs.VPCID` to the VPC of the parent security group - Add more e2e tests for `UserIDGroupPairs` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
/reopen |
@adriananeci: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@a-hilaly The problem still persists. I've tried omitting or leaving empty different fields from inside the
the object status is getting into
Do you have a working security group example spec that is referencing itself? Maybe I'm missing something. I've been running the tests using ec2-controller |
I've looked into this in the last week and found the below to be a working example.
@adriananeci I believe the issue was the After applying above manifest, I've checked the created securitygroup in the console does indeed show reference to itself in these egress rules. /close |
@jantzenallphin: You can't close an active issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thank you foklks! |
@a-hilaly: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…s-controllers-k8s#194) Closes aws-controllers-k8s/community#2068, aws-controllers-k8s/community#2061, and aws-controllers-k8s/community#2058 The EC2 API for setting ingress/egress rules has many special restrictions, making its behavior hard to predict. For example, `GroupName` should only be used with default VPCs. When using non default VPCs users should use `GroupID` instead To address this problem, we are introducing a defaulting mechanism to help the controller infer and use the correct `GroupID` when a user doesnt provide one. You might wonder why all the trouble, and why not just use ACK resource references? Well.. this is necessary because ACK resource references cannot do self references, making fully declarative egress/ingress rule definition impossible in some cases. Changes: - Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level) - Default `UserIDGroupPairs.GroupID` to the parent security group ID - Default `UserIDGroupPairs.VPCID` to the VPC of the parent security group - Add more e2e tests for `UserIDGroupPairs` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Describe the bug
Security group creation is failing when referencing itself inside a security group rule
Steps to reproduce
Try to create a security group referencing itself inside a rule using something like
Expected outcome
Security group should be able to reference itself
Environment
The text was updated successfully, but these errors were encountered: