Skip to content

Commit

Permalink
keep LB addons' settings unchanged unless explicitly specified (#3800)
Browse files Browse the repository at this point in the history
add UTs for related components
  • Loading branch information
M00nF1sh authored Aug 9, 2024
1 parent 2556198 commit 7cd06f1
Show file tree
Hide file tree
Showing 14 changed files with 1,934 additions and 112 deletions.
48 changes: 33 additions & 15 deletions docs/guide/ingress/annotations.md
Original file line number Diff line number Diff line change
Expand Up @@ -907,35 +907,53 @@ In addition, you can use annotations to specify additional tags

## Addons

!!!note
If waf-acl-arn is specified via the ingress annotations, the controller will make sure the waf-acl is associated to the provisioned ALB with the ingress.
If there is not such annotation, the controller will make sure no waf-acl is associated, so it may remove the existing waf-acl on the ALB provisioned.
If users do not want the controller to manage the waf-acl on the ALBs, they can disable the feature by setting controller command line flags `--enable-waf=false` or `--enable-wafv2=false`

- <a name="waf-acl-id">`alb.ingress.kubernetes.io/waf-acl-id`</a> specifies the identifier for the Amazon WAF web ACL.
- <a name="waf-acl-id">`alb.ingress.kubernetes.io/waf-acl-id`</a> specifies the identifier for the Amazon WAF Classic web ACL.

!!!warning ""
Only Regional WAF is supported.
Only Regional WAF Classic is supported.

!!!note ""
When this annotation is absent or empty, the controller will keep LoadBalancer WAF Classic settings unchanged.
To disable WAF Classic, explicitly set the annotation value to 'none'.

!!!example
```alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe
```
- enable WAF Classic
```alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe
```
- disable WAF Classic
```alb.ingress.kubernetes.io/waf-acl-id: none
```

- <a name="wafv2-acl-arn">`alb.ingress.kubernetes.io/wafv2-acl-arn`</a> specifies ARN for the Amazon WAFv2 web ACL.

!!!warning ""
Only Regional WAFv2 is supported.

!!!note ""
When this annotation is absent or empty, the controller will keep LoadBalancer WAFv2 settings unchanged.
To disable WAFv2, explicitly set the annotation value to 'none'.

!!!tip ""
To get the WAFv2 Web ACL ARN from the Console, click the gear icon in the upper right and enable the ARN column.

!!!example
```alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-west-2:xxxxx:regional/webacl/xxxxxxx/3ab78708-85b0-49d3-b4e1-7a9615a6613b
```

- enable WAFv2
```alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-west-2:xxxxx:regional/webacl/xxxxxxx/3ab78708-85b0-49d3-b4e1-7a9615a6613b
```
- disable WAFV2
```alb.ingress.kubernetes.io/wafv2-acl-arn: none
```

- <a name="shield-advanced-protection">`alb.ingress.kubernetes.io/shield-advanced-protection`</a> turns on / off the AWS Shield Advanced protection for the load balancer.

!!!example
```alb.ingress.kubernetes.io/shield-advanced-protection: 'true'
```
!!!note ""
When this annotation is absent, the controller will keep LoadBalancer shield protection settings unchanged.
To disable shield protection, explicitly set the annotation value to 'false'.

!!!example
- enable shield protection
```alb.ingress.kubernetes.io/shield-advanced-protection: 'true'
```
- disable shield protection
```alb.ingress.kubernetes.io/shield-advanced-protection: 'false'
```
94 changes: 94 additions & 0 deletions pkg/deploy/shield/protection_manager_mocks.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 13 additions & 25 deletions pkg/deploy/shield/protection_synthesizer.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ package shield

import (
"context"
"fmt"
"github.com/go-logr/logr"
"github.com/pkg/errors"
"k8s.io/apimachinery/pkg/util/sets"
"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
shieldmodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/shield"
)

Expand All @@ -32,25 +32,18 @@ type protectionSynthesizer struct {

func (s *protectionSynthesizer) Synthesize(ctx context.Context) error {
var resProtections []*shieldmodel.Protection
s.stack.ListResources(&resProtections)
if err := s.stack.ListResources(&resProtections); err != nil {
return fmt.Errorf("[should never happen] failed to list resources: %w", err)
}
if len(resProtections) == 0 {
return nil
}
resProtectionsByResARN, err := mapResProtectionByResourceARN(resProtections)
if err != nil {
return err
}

var resLBs []*elbv2model.LoadBalancer
s.stack.ListResources(&resLBs)
for _, resLB := range resLBs {
// shield protection can only be associated with ALB for now.
if resLB.Spec.Type != elbv2model.LoadBalancerTypeApplication {
continue
}
lbARN, err := resLB.LoadBalancerARN().Resolve(ctx)
if err != nil {
return err
}
resProtections := resProtectionsByResARN[lbARN]
if err := s.synthesizeProtectionsOnLB(ctx, lbARN, resProtections); err != nil {
for resARN, protections := range resProtectionsByResARN {
if err := s.synthesizeProtectionsOnLB(ctx, resARN, protections); err != nil {
return err
}
}
Expand All @@ -63,18 +56,13 @@ func (s *protectionSynthesizer) PostSynthesize(ctx context.Context) error {
}

func (s *protectionSynthesizer) synthesizeProtectionsOnLB(ctx context.Context, lbARN string, resProtections []*shieldmodel.Protection) error {
if len(resProtections) > 1 {
return errors.Errorf("[should never happen] multiple shield protection desired on LoadBalancer: %v", lbARN)
}

enableProtection := false
if len(resProtections) == 1 {
enableProtection = true
if len(resProtections) != 1 {
return errors.Errorf("[should never happen] should be exactly one shield protection desired on LoadBalancer: %v", lbARN)
}

enableProtection := resProtections[0].Spec.Enabled
protectionInfo, err := s.protectionManager.GetProtection(ctx, lbARN)
if err != nil {
return err
return errors.Wrap(err, "failed to get shield protection on LoadBalancer")
}
switch {
case !enableProtection && protectionInfo != nil:
Expand Down
Loading

0 comments on commit 7cd06f1

Please sign in to comment.