Skip to content

Commit

Permalink
Merge pull request #5030 from r4f4/fix-5029
Browse files Browse the repository at this point in the history 
🐛: elbv2: skip adding security groups to NLB in secret regions
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Sep 5, 2024
2 parents abe918c + dc6ee06 commit 2cbd9ad
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion pkg/cloud/services/elb/loadbalancer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@ const apiServerTargetGroupPrefix = "apiserver-target-"
// listeners.
const additionalTargetGroupPrefix = "additional-listener-"

// cantAttachSGToNLBRegions is a set of regions that do not support Security Groups in NLBs.
var cantAttachSGToNLBRegions = sets.New("us-iso-east-1", "us-iso-west-1", "us-isob-east-1")

// ReconcileLoadbalancers reconciles the load balancers for the given cluster.
func (s *Service) ReconcileLoadbalancers() error {
s.scope.Debug("Reconciling load balancers")
Expand Down Expand Up @@ -395,6 +398,11 @@ func (s *Service) createLB(spec *infrav1.LoadBalancer, lbSpec *infrav1.AWSLoadBa
input.IpAddressType = aws.String("dualstack")
}

// TODO: remove when security groups on NLBs is supported in all regions.
if cantAttachSGToNLBRegions.Has(s.scope.Region()) {
input.SecurityGroups = nil
}

// Allocate custom addresses (Elastic IP) to internet-facing Load Balancers, when defined.
// Custom, or BYO, Public IPv4 Pool need to be created prior install, and the Pool ID must be
// set in the VpcSpec.ElasticIPPool.PublicIPv4Pool to allow Elastic IP be consumed from
Expand Down Expand Up @@ -1788,7 +1796,11 @@ func shouldReconcileSGs(scope scope.ELBScope, lb *infrav1.LoadBalancer, specSGs
// Once created without a security group, the NLB can never have any added.
// (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html)
if lb.LoadBalancerType == infrav1.LoadBalancerTypeNLB && len(lb.SecurityGroupIDs) == 0 {
scope.Info("Pre-existing NLB %s without security groups, cannot reconcile security groups.", lb.Name)
if cantAttachSGToNLBRegions.Has(scope.Region()) {
scope.Info("Region doesn't support NLB security groups, cannot reconcile security groups.", "region", scope.Region(), "elb-name", lb.Name)
} else {
scope.Info("Pre-existing NLB without security groups, cannot reconcile security groups.", "elb-name", lb.Name)
}
return false
}
if !sets.NewString(lb.SecurityGroupIDs...).Equal(sets.NewString(specSGs...)) {
Expand Down

0 comments on commit 2cbd9ad

Please sign in to comment.