github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 10:19:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #45500 from nbutton23/nbutton-aws-elb-security-group

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 36721, 46483, 45500, 46724, 46036)

AWS: Allow configuration of a single security group for ELBs

**What this PR does / why we need it**:
AWS has a hard limit on the number of Security Groups (500).  Right now every time an ELB is created Kubernetes is creating a new Security Group.  This allows for specifying a Security Group to use for all ELBS

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:
For some reason the Diff tool makes this look like it was way more changes than it really was. 
**Release note**:

```release-note
```
This commit is contained in:
Kubernetes Submit Queue 2017-06-03 08:08:40 -07:00 committed by GitHub
commit 4220b7303e
1 changed files with 52 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/cloudprovider/providers/aws/aws.go
View File

@ -420,6 +420,11 @@ type CloudConfig struct {
//local VPC subnet (so load balancers can access it). E.g. 10.82.0.0/16 30000-32000. //local VPC subnet (so load balancers can access it). E.g. 10.82.0.0/16 30000-32000.
DisableSecurityGroupIngress bool DisableSecurityGroupIngress bool
//AWS has a hard limit of 500 security groups. For large clusters creating a security group for each ELB
//can cause the max number of security groups to be reached. If this is set instead of creating a new
//Security group for each ELB this security group will be used instead.
ElbSecurityGroup string
//During the instantiation of an new AWS cloud provider, the detected region //During the instantiation of an new AWS cloud provider, the detected region
//is validated against a known set of regions. //is validated against a known set of regions.
// //
@ -2764,6 +2769,11 @@ func (c *Cloud) EnsureLoadBalancer(clusterName string, apiService *v1.Service, n
// Create a security group for the load balancer // Create a security group for the load balancer
var securityGroupID string var securityGroupID string
{ {
if c.cfg.Global.ElbSecurityGroup != "" {
securityGroupID = c.cfg.Global.ElbSecurityGroup
} else {
sgName := "k8s-elb-" + loadBalancerName sgName := "k8s-elb-" + loadBalancerName
sgDescription := fmt.Sprintf("Security group for Kubernetes ELB %s (%v)", loadBalancerName, serviceName) sgDescription := fmt.Sprintf("Security group for Kubernetes ELB %s (%v)", loadBalancerName, serviceName)
securityGroupID, err = c.ensureSecurityGroup(sgName, sgDescription) securityGroupID, err = c.ensureSecurityGroup(sgName, sgDescription)
@ -2808,6 +2818,7 @@ func (c *Cloud) EnsureLoadBalancer(clusterName string, apiService *v1.Service, n
return nil, err return nil, err
} }
} }
}
securityGroupIDs := []string{securityGroupID} securityGroupIDs := []string{securityGroupID}
// Build the load balancer itself // Build the load balancer itself
@ -3143,6 +3154,10 @@ func (c *Cloud) EnsureLoadBalancerDeleted(clusterName string, service *v1.Servic
// Collect the security groups to delete // Collect the security groups to delete
securityGroupIDs := map[string]struct{}{} securityGroupIDs := map[string]struct{}{}
for _, securityGroupID := range lb.SecurityGroups { for _, securityGroupID := range lb.SecurityGroups {
if *securityGroupID == c.cfg.Global.ElbSecurityGroup {
//We don't want to delete a security group that was defined in the Cloud Configurationn.
continue
}
if isNilOrEmpty(securityGroupID) { if isNilOrEmpty(securityGroupID) {
glog.Warning("Ignoring empty security group in ", service.Name) glog.Warning("Ignoring empty security group in ", service.Name)
continue continue