github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

AWS: Fix problems with >2 security groups

Browse Source 
The previous logic was incorrect; if we saw two untagged security groups
before seeing the first tagged security, we would incorrectly return an
error.

Fix #23339
This commit is contained in:
Justin Santa Barbara 2016-03-22 13:00:14 -04:00
parent d124deeb2f
commit 59013f5507
1 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
pkg/cloudprovider/providers/aws/aws.go
View File

@ -2286,37 +2286,42 @@ func toStatus(lb *elb.LoadBalancerDescription) *api.LoadBalancerStatus {
// Otherwise we will return an error. // Otherwise we will return an error.
func findSecurityGroupForInstance(instance *ec2.Instance, taggedSecurityGroups map[string]*ec2.SecurityGroup) (*ec2.GroupIdentifier, error) { func findSecurityGroupForInstance(instance *ec2.Instance, taggedSecurityGroups map[string]*ec2.SecurityGroup) (*ec2.GroupIdentifier, error) {
instanceID := aws.StringValue(instance.InstanceId) instanceID := aws.StringValue(instance.InstanceId)
var best *ec2.GroupIdentifier
var tagged []*ec2.GroupIdentifier
var untagged []*ec2.GroupIdentifier
for _, group := range instance.SecurityGroups { for _, group := range instance.SecurityGroups {
groupID := aws.StringValue(group.GroupId) groupID := aws.StringValue(group.GroupId)
if groupID == "" { if groupID == "" {
glog.Warningf("Ignoring security group without id for instance %q: %v", instanceID, group) glog.Warningf("Ignoring security group without id for instance %q: %v", instanceID, group)
continue continue
} }
if best == nil { _, isTagged := taggedSecurityGroups[groupID]
best = group if isTagged {
continue tagged = append(tagged, group)
} else {
untagged = append(untagged, group)
}
} }
_, bestIsTagged := taggedSecurityGroups[*best.GroupId] if len(tagged) > 0 {
_, groupIsTagged := taggedSecurityGroups[groupID]
if bestIsTagged && !groupIsTagged {
// best is still best
} else if groupIsTagged && !bestIsTagged {
best = group
} else {
// We create instances with one SG // We create instances with one SG
// If users create multiple SGs, they must tag one of them as being k8s owned // If users create multiple SGs, they must tag one of them as being k8s owned
return nil, fmt.Errorf("Multiple security groups found for instance (%s); ensure the k8s security group is tagged", instanceID) if len(tagged) != 1 {
return nil, fmt.Errorf("Multiple tagged security groups found for instance %s; ensure only the k8s security group is tagged", instanceID)
} }
return tagged[0], nil
}
if len(untagged) > 0 {
// For back-compat, we will allow a single untagged SG
if len(untagged) != 1 {
return nil, fmt.Errorf("Multiple untagged security groups found for instance %s; ensure the k8s security group is tagged", instanceID)
}
return untagged[0], nil
} }
if best == nil {
glog.Warningf("No security group found for instance %q", instanceID) glog.Warningf("No security group found for instance %q", instanceID)
} return nil, nil
return best, nil
} }
// Return all the security groups that are tagged as being part of our cluster // Return all the security groups that are tagged as being part of our cluster