feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery

[chriswachira]

Issue

#3897

Description

It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them:

• Destination Unreachable: Fragmentation Needed and Don't Fragment was Set (Type 3, Code 4) for IPv4 networks.
• ICMPv6 Packet Too Big (PTB) (Type 2) for IPv6 networks.

This work introduces a Service annotation (below) that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.

service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: "on"

 

For IPv4 VPCs, an explicit rule is added to the managed security group to allow ICMPv4 Type 3 Code 4.

 

For dual stack VPCs, an explicit rule is added to the managed security group to allow both ICMPv4 Type 3 Code 4 and ICMPv6 Type 2 Code 0.

 

If the service.beta.kubernetes.io/load-balancer-source-ranges annotation is also present, it will also create an explicit rule for each source range.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

Hi @chriswachira. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chriswachira
Once this PR has been reviewed and has the lgtm label, please assign oliviassss for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zac-nixon]

the sample is incorrect, we need to surround the boolean value with quotes:

        service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: "on"

otherwise we get this error:

error: unable to decode "/Users/nixozach/echoserver/svc.yaml": json: cannot unmarshal bool into Go struct field ObjectMeta.metadata.annotations of type string

[chriswachira]

I've made this fix, kindly test.

[zac-nixon]

Seems that once the rules are added, they can't be removed using:

service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: "off"

[chriswachira]

I've added a check to make sure it only adds the security group rules if the annotation value is "on", kindly test.