inboud_security_groups

Add referencing existing security groups for inbound traffic

Add referencing existing security groups for inbound traffic

Add inboud security groups

Author: changhyuni

docs/guide/ingress/annotations.md

@@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24
         ```
+- <a name="inbound-security-groups">`alb.ingress.kubernetes.io/inbound-security-groups`</a> specifies the SecurtityGroups that are allowed to access LoadBalancer.
+
+    !!!note "Merge Behavior"
+        `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port.
+
+        - the `inbound-security-groups` will only impact the ports defined for that Ingress.
+        - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress.
+
+    !!!warning ""
+        this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified.
+
+    !!!tip ""
+        Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2
+        ```
 
 - <a name="security-group-prefix-lists">`alb.ingress.kubernetes.io/security-group-prefix-lists`</a> specifies the managed prefix lists that are allowed to access LoadBalancer.
 

pkg/annotations/constants.go

@@ -6,48 +6,51 @@ const (
 
 	AnnotationPrefixIngress = "alb.ingress.kubernetes.io"
 	// Ingress annotation suffixes
-	IngressSuffixLoadBalancerName             = "load-balancer-name"
-	IngressSuffixGroupName                    = "group.name"
-	IngressSuffixGroupOrder                   = "group.order"
-	IngressSuffixTags                         = "tags"
-	IngressSuffixIPAddressType                = "ip-address-type"
-	IngressSuffixScheme                       = "scheme"
-	IngressSuffixSubnets                      = "subnets"
-	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
-	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
-	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
-	IngressSuffixWAFACLID                     = "waf-acl-id"
-	IngressSuffixWebACLID                     = "web-acl-id" // deprecated, use "waf-acl-id" instead.
-	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
-	IngressSuffixSecurityGroups               = "security-groups"
-	IngressSuffixListenPorts                  = "listen-ports"
-	IngressSuffixSSLRedirect                  = "ssl-redirect"
-	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
-	IngressSuffixCertificateARN               = "certificate-arn"
-	IngressSuffixSSLPolicy                    = "ssl-policy"
-	IngressSuffixTargetType                   = "target-type"
-	IngressSuffixBackendProtocol              = "backend-protocol"
-	IngressSuffixBackendProtocolVersion       = "backend-protocol-version"
-	IngressSuffixTargetGroupAttributes        = "target-group-attributes"
-	IngressSuffixHealthCheckPort              = "healthcheck-port"
-	IngressSuffixHealthCheckProtocol          = "healthcheck-protocol"
-	IngressSuffixHealthCheckPath              = "healthcheck-path"
-	IngressSuffixHealthCheckIntervalSeconds   = "healthcheck-interval-seconds"
-	IngressSuffixHealthCheckTimeoutSeconds    = "healthcheck-timeout-seconds"
-	IngressSuffixHealthyThresholdCount        = "healthy-threshold-count"
-	IngressSuffixUnhealthyThresholdCount      = "unhealthy-threshold-count"
-	IngressSuffixSuccessCodes                 = "success-codes"
-	IngressSuffixAuthType                     = "auth-type"
-	IngressSuffixAuthIDPCognito               = "auth-idp-cognito"
-	IngressSuffixAuthIDPOIDC                  = "auth-idp-oidc"
-	IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request"
-	IngressSuffixAuthScope                    = "auth-scope"
-	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
-	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
-	IngressSuffixTargetNodeLabels             = "target-node-labels"
-	IngressSuffixManageSecurityGroupRules     = "manage-backend-security-group-rules"
-	IngressSuffixMutualAuthentication         = "mutual-authentication"
-	IngressSuffixSecurityGroupPrefixLists     = "security-group-prefix-lists"
+	IngressSuffixLoadBalancerName                = "load-balancer-name"
+	IngressSuffixGroupName                       = "group.name"
+	IngressSuffixGroupOrder                      = "group.order"
+	IngressSuffixTags                            = "tags"
+	IngressSuffixIPAddressType                   = "ip-address-type"
+	IngressSuffixScheme                          = "scheme"
+	IngressSuffixSubnets                         = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool           = "customer-owned-ipv4-pool"
+	IngressSuffixLoadBalancerAttributes          = "load-balancer-attributes"
+	IngressSuffixWAFv2ACLARN                     = "wafv2-acl-arn"
+	IngressSuffixWAFACLID                        = "waf-acl-id"
+	IngressSuffixWebACLID                        = "web-acl-id" // deprecated, use "waf-acl-id" instead.
+	IngressSuffixShieldAdvancedProtection        = "shield-advanced-protection"
+	IngressSuffixSecurityGroups                  = "security-groups"
+	IngressSuffixListenPorts                     = "listen-ports"
+	IngressSuffixSSLRedirect                     = "ssl-redirect"
+	IngressSuffixInboundCIDRs                    = "inbound-cidrs"
+	IngressSuffixCertificateARN                  = "certificate-arn"
+	IngressSuffixSSLPolicy                       = "ssl-policy"
+	IngressSuffixTargetType                      = "target-type"
+	IngressSuffixBackendProtocol                 = "backend-protocol"
+	IngressSuffixBackendProtocolVersion          = "backend-protocol-version"
+	IngressSuffixTargetGroupAttributes           = "target-group-attributes"
+	IngressSuffixHealthCheckPort                 = "healthcheck-port"
+	IngressSuffixHealthCheckProtocol             = "healthcheck-protocol"
+	IngressSuffixHealthCheckPath                 = "healthcheck-path"
+	IngressSuffixHealthCheckIntervalSeconds      = "healthcheck-interval-seconds"
+	IngressSuffixHealthCheckTimeoutSeconds       = "healthcheck-timeout-seconds"
+	IngressSuffixHealthyThresholdCount           = "healthy-threshold-count"
+	IngressSuffixUnhealthyThresholdCount         = "unhealthy-threshold-count"
+	IngressSuffixSuccessCodes                    = "success-codes"
+	IngressSuffixAuthType                        = "auth-type"
+	IngressSuffixAuthIDPCognito                  = "auth-idp-cognito"
+	IngressSuffixAuthIDPOIDC                     = "auth-idp-oidc"
+	IngressSuffixAuthOnUnauthenticatedRequest    = "auth-on-unauthenticated-request"
+	IngressSuffixAuthScope                       = "auth-scope"
+	IngressSuffixAuthSessionCookie               = "auth-session-cookie"
+	IngressSuffixAuthSessionTimeout              = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels                = "target-node-labels"
+	IngressSuffixManageSecurityGroupRules        = "manage-backend-security-group-rules"
+	IngressSuffixMutualAuthentication            = "mutual-authentication"
+	IngressSuffixSecurityGroupPrefixLists        = "security-group-prefix-lists"
+	IngressSuffixlsAttsAnnotationPrefix          = "listener-attributes"
+	IngressLBSuffixMultiClusterTargetGroup       = "multi-cluster-target-group"
+	IngressSuffixLoadBalancerCapacityReservation = "minimum-load-balancer-capacity"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io

pkg/ingress/model_build_listener.go

@@ -107,17 +107,25 @@ type listenPortConfig struct {
 	sslPolicy            *string
 	tlsCerts             []string
 	mutualAuthentication *elbv2model.MutualAuthenticationAttributes
+	securityGroupIDs     []string
 }
 
 func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) {
 	explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
 	explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
 	var prefixListIDs []string
 	t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
+
+	securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
 	if err != nil {
 		return nil, err
 	}
+
 	mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing)
 	if err != nil {
 		return nil, err
@@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 	listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts))
 	for port, protocol := range listenPorts {
 		cfg := listenPortConfig{
-			protocol:       protocol,
-			inboundCIDRv4s: inboundCIDRv4s,
-			inboundCIDRv6s: inboundCIDRV6s,
-			prefixLists:    prefixListIDs,
+			protocol:         protocol,
+			inboundCIDRv4s:   inboundCIDRv4s,
+			inboundCIDRv6s:   inboundCIDRV6s,
+			prefixLists:      prefixListIDs,
+			securityGroupIDs: securityGroupIDs,
 		}
 		if protocol == elbv2model.ProtocolHTTPS {
 			if len(explicitTLSCertARNs) == 0 {
@@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing
 	return portAndProtocols, nil
 }
 
+func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) {
+	var rawSecurityGroups []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists {
+		return nil, nil
+	}
+
+	securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups)
+	if err != nil {
+		return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err)
+	}
+
+	return securityGroupIDs, nil
+}
+
 func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) {
 	var rawInboundCIDRs []string
 	fromIngressClassParams := false

pkg/ingress/model_build_managed_sg.go

@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co
 				},
 			})
 		}
+		for _, sgID := range cfg.securityGroupIDs {
+			permissions = append(permissions, ec2model.IPPermission{
+				IPProtocol: "tcp",
+				FromPort:   awssdk.Int64(port),
+				ToPort:     awssdk.Int64(port),
+				UserIDGroupPairs: []ec2model.UserIDGroupPair{
+					{
+						GroupID: sgID,
+					},
+				},
+			})
+		}
 	}
 	return permissions
 }

pkg/ingress/model_builder.go

@@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 	var mergedMtlsAttributesProvider *types.NamespacedName
 	var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
 
+	var mergedSecurityGroupProvider *types.NamespacedName
+	mergedSecurityGroups := sets.NewString()
+
 	for _, cfg := range listenPortConfigs {
 		if mergedProtocolProvider == nil {
 			mergedProtocolProvider = &cfg.ingKey
@@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 			}
 		}
 
+		if len(cfg.listenPortConfig.securityGroupIDs) != 0 {
+			cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...)
+			if mergedSecurityGroupProvider == nil {
+				mergedSecurityGroupProvider = &cfg.ingKey
+				mergedSecurityGroups = cfgSecurityGroups
+			} else if !mergedSecurityGroups.Equal(cfgSecurityGroups) {
+				return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v",
+					*mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List())
+			}
+		}
+
 		if cfg.listenPortConfig.sslPolicy != nil {
 			if mergedSSLPolicyProvider == nil {
 				mergedSSLPolicyProvider = &cfg.ingKey
@@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		sslPolicy:            mergedSSLPolicy,
 		tlsCerts:             mergedTLSCerts,
 		mutualAuthentication: mergedMtlsAttributes,
+		securityGroupIDs:     mergedSecurityGroups.List(),
 	}, nil
 }