inboud_security_groups

Add referencing existing security groups for inbound traffic

Add referencing existing security groups for inbound traffic

Add inboud security groups

Add inboud security group

Add annotation

Add annotations

Add annotationsss

Add annotationssss

Author: changhyuni

docs/guide/ingress/annotations.md

@@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24
         ```
+- <a name="inbound-security-groups">`alb.ingress.kubernetes.io/inbound-security-groups`</a> specifies the SecurtityGroups that are allowed to access LoadBalancer.
+
+    !!!note "Merge Behavior"
+        `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port.
+
+        - the `inbound-security-groups` will only impact the ports defined for that Ingress.
+        - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress.
+
+    !!!warning ""
+        this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified.
+
+    !!!tip ""
+        Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2
+        ```
 
 - <a name="security-group-prefix-lists">`alb.ingress.kubernetes.io/security-group-prefix-lists`</a> specifies the managed prefix lists that are allowed to access LoadBalancer.
 

pkg/annotations/constants.go

@@ -1,53 +1,64 @@
 package annotations
 
 const (
+	// AnnotationCheckPoint is the annotation used to store a checkpoint for resources.
+	// It contains an opaque value that represents the last known reconciled state.
+	AnnotationCheckPoint = "elbv2.k8s.aws/checkpoint"
+
+	// AnnotationCheckPointTimestamp is the annotation used to store the last checkpointed time. The value is stored in seconds.
+	AnnotationCheckPointTimestamp = AnnotationCheckPoint + "-timestamp"
+
 	// IngressClass
 	IngressClass = "kubernetes.io/ingress.class"
 
 	AnnotationPrefixIngress = "alb.ingress.kubernetes.io"
 	// Ingress annotation suffixes
-	IngressSuffixLoadBalancerName             = "load-balancer-name"
-	IngressSuffixGroupName                    = "group.name"
-	IngressSuffixGroupOrder                   = "group.order"
-	IngressSuffixTags                         = "tags"
-	IngressSuffixIPAddressType                = "ip-address-type"
-	IngressSuffixScheme                       = "scheme"
-	IngressSuffixSubnets                      = "subnets"
-	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
-	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
-	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
-	IngressSuffixWAFACLID                     = "waf-acl-id"
-	IngressSuffixWebACLID                     = "web-acl-id" // deprecated, use "waf-acl-id" instead.
-	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
-	IngressSuffixSecurityGroups               = "security-groups"
-	IngressSuffixListenPorts                  = "listen-ports"
-	IngressSuffixSSLRedirect                  = "ssl-redirect"
-	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
-	IngressSuffixCertificateARN               = "certificate-arn"
-	IngressSuffixSSLPolicy                    = "ssl-policy"
-	IngressSuffixTargetType                   = "target-type"
-	IngressSuffixBackendProtocol              = "backend-protocol"
-	IngressSuffixBackendProtocolVersion       = "backend-protocol-version"
-	IngressSuffixTargetGroupAttributes        = "target-group-attributes"
-	IngressSuffixHealthCheckPort              = "healthcheck-port"
-	IngressSuffixHealthCheckProtocol          = "healthcheck-protocol"
-	IngressSuffixHealthCheckPath              = "healthcheck-path"
-	IngressSuffixHealthCheckIntervalSeconds   = "healthcheck-interval-seconds"
-	IngressSuffixHealthCheckTimeoutSeconds    = "healthcheck-timeout-seconds"
-	IngressSuffixHealthyThresholdCount        = "healthy-threshold-count"
-	IngressSuffixUnhealthyThresholdCount      = "unhealthy-threshold-count"
-	IngressSuffixSuccessCodes                 = "success-codes"
-	IngressSuffixAuthType                     = "auth-type"
-	IngressSuffixAuthIDPCognito               = "auth-idp-cognito"
-	IngressSuffixAuthIDPOIDC                  = "auth-idp-oidc"
-	IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request"
-	IngressSuffixAuthScope                    = "auth-scope"
-	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
-	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
-	IngressSuffixTargetNodeLabels             = "target-node-labels"
-	IngressSuffixManageSecurityGroupRules     = "manage-backend-security-group-rules"
-	IngressSuffixMutualAuthentication         = "mutual-authentication"
-	IngressSuffixSecurityGroupPrefixLists     = "security-group-prefix-lists"
+	IngressSuffixLoadBalancerName                = "load-balancer-name"
+	IngressSuffixGroupName                       = "group.name"
+	IngressSuffixGroupOrder                      = "group.order"
+	IngressSuffixTags                            = "tags"
+	IngressSuffixIPAddressType                   = "ip-address-type"
+	IngressSuffixScheme                          = "scheme"
+	IngressSuffixSubnets                         = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool           = "customer-owned-ipv4-pool"
+	IngressSuffixLoadBalancerAttributes          = "load-balancer-attributes"
+	IngressSuffixWAFv2ACLARN                     = "wafv2-acl-arn"
+	IngressSuffixWAFACLID                        = "waf-acl-id"
+	IngressSuffixWebACLID                        = "web-acl-id" // deprecated, use "waf-acl-id" instead.
+	IngressSuffixShieldAdvancedProtection        = "shield-advanced-protection"
+	IngressSuffixSecurityGroups                  = "security-groups"
+	IngressSuffixListenPorts                     = "listen-ports"
+	IngressSuffixSSLRedirect                     = "ssl-redirect"
+	IngressSuffixInboundCIDRs                    = "inbound-cidrs"
+	IngressSuffixCertificateARN                  = "certificate-arn"
+	IngressSuffixSSLPolicy                       = "ssl-policy"
+	IngressSuffixTargetType                      = "target-type"
+	IngressSuffixBackendProtocol                 = "backend-protocol"
+	IngressSuffixBackendProtocolVersion          = "backend-protocol-version"
+	IngressSuffixTargetGroupAttributes           = "target-group-attributes"
+	IngressSuffixHealthCheckPort                 = "healthcheck-port"
+	IngressSuffixHealthCheckProtocol             = "healthcheck-protocol"
+	IngressSuffixHealthCheckPath                 = "healthcheck-path"
+	IngressSuffixHealthCheckIntervalSeconds      = "healthcheck-interval-seconds"
+	IngressSuffixHealthCheckTimeoutSeconds       = "healthcheck-timeout-seconds"
+	IngressSuffixHealthyThresholdCount           = "healthy-threshold-count"
+	IngressSuffixUnhealthyThresholdCount         = "unhealthy-threshold-count"
+	IngressSuffixSuccessCodes                    = "success-codes"
+	IngressSuffixAuthType                        = "auth-type"
+	IngressSuffixAuthIDPCognito                  = "auth-idp-cognito"
+	IngressSuffixAuthIDPOIDC                     = "auth-idp-oidc"
+	IngressSuffixAuthOnUnauthenticatedRequest    = "auth-on-unauthenticated-request"
+	IngressSuffixAuthScope                       = "auth-scope"
+	IngressSuffixAuthSessionCookie               = "auth-session-cookie"
+	IngressSuffixAuthSessionTimeout              = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels                = "target-node-labels"
+	IngressSuffixManageSecurityGroupRules        = "manage-backend-security-group-rules"
+	IngressSuffixMutualAuthentication            = "mutual-authentication"
+	IngressSuffixSecurityGroupPrefixLists        = "security-group-prefix-lists"
+	IngressSuffixlsAttsAnnotationPrefix          = "listener-attributes"
+	IngressLBSuffixMultiClusterTargetGroup       = "multi-cluster-target-group"
+	IngressSuffixLoadBalancerCapacityReservation = "minimum-load-balancer-capacity"
+	IngressSuffixInboundSecurityGroups           = "inbound-security-groups"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
@@ -88,4 +99,9 @@ const (
 	SvcLBSuffixManageSGRules                             = "aws-load-balancer-manage-backend-security-group-rules"
 	SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic = "aws-load-balancer-inbound-sg-rules-on-private-link-traffic"
 	SvcLBSuffixSecurityGroupPrefixLists                  = "aws-load-balancer-security-group-prefix-lists"
-)
+	SvcLBSuffixlsAttsAnnotationPrefix                    = "aws-load-balancer-listener-attributes"
+	SvcLBSuffixMultiClusterTargetGroup                   = "aws-load-balancer-multi-cluster-target-group"
+	ScvLBSuffixEnablePrefixForIpv6SourceNat              = "aws-load-balancer-enable-prefix-for-ipv6-source-nat"
+	ScvLBSuffixSourceNatIpv6Prefixes                     = "aws-load-balancer-source-nat-ipv6-prefixes"
+	SvcLBSuffixLoadBalancerCapacityReservation           = "aws-load-balancer-minimum-load-balancer-capacity"
+)

pkg/ingress/model_build_listener.go

@@ -107,17 +107,25 @@ type listenPortConfig struct {
 	sslPolicy            *string
 	tlsCerts             []string
 	mutualAuthentication *elbv2model.MutualAuthenticationAttributes
+	securityGroupIDs     []string
 }
 
 func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) {
 	explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
 	explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
 	var prefixListIDs []string
 	t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
+
+	securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
 	if err != nil {
 		return nil, err
 	}
+
 	mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing)
 	if err != nil {
 		return nil, err
@@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 	listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts))
 	for port, protocol := range listenPorts {
 		cfg := listenPortConfig{
-			protocol:       protocol,
-			inboundCIDRv4s: inboundCIDRv4s,
-			inboundCIDRv6s: inboundCIDRV6s,
-			prefixLists:    prefixListIDs,
+			protocol:         protocol,
+			inboundCIDRv4s:   inboundCIDRv4s,
+			inboundCIDRv6s:   inboundCIDRV6s,
+			prefixLists:      prefixListIDs,
+			securityGroupIDs: securityGroupIDs,
 		}
 		if protocol == elbv2model.ProtocolHTTPS {
 			if len(explicitTLSCertARNs) == 0 {
@@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing
 	return portAndProtocols, nil
 }
 
+func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) {
+	var rawSecurityGroups []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists {
+		return nil, nil
+	}
+
+	securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups)
+	if err != nil {
+		return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err)
+	}
+
+	return securityGroupIDs, nil
+}
+
 func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) {
 	var rawInboundCIDRs []string
 	fromIngressClassParams := false

pkg/ingress/model_build_managed_sg.go

@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co
 				},
 			})
 		}
+		for _, sgID := range cfg.securityGroupIDs {
+			permissions = append(permissions, ec2model.IPPermission{
+				IPProtocol: "tcp",
+				FromPort:   awssdk.Int64(port),
+				ToPort:     awssdk.Int64(port),
+				UserIDGroupPairs: []ec2model.UserIDGroupPair{
+					{
+						GroupID: sgID,
+					},
+				},
+			})
+		}
 	}
 	return permissions
 }

pkg/ingress/model_builder.go

@@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 	var mergedMtlsAttributesProvider *types.NamespacedName
 	var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
 
+	var mergedSecurityGroupProvider *types.NamespacedName
+	mergedSecurityGroups := sets.NewString()
+
 	for _, cfg := range listenPortConfigs {
 		if mergedProtocolProvider == nil {
 			mergedProtocolProvider = &cfg.ingKey
@@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 			}
 		}
 
+		if len(cfg.listenPortConfig.securityGroupIDs) != 0 {
+			cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...)
+			if mergedSecurityGroupProvider == nil {
+				mergedSecurityGroupProvider = &cfg.ingKey
+				mergedSecurityGroups = cfgSecurityGroups
+			} else if !mergedSecurityGroups.Equal(cfgSecurityGroups) {
+				return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v",
+					*mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List())
+			}
+		}
+
 		if cfg.listenPortConfig.sslPolicy != nil {
 			if mergedSSLPolicyProvider == nil {
 				mergedSSLPolicyProvider = &cfg.ingKey
@@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		sslPolicy:            mergedSSLPolicy,
 		tlsCerts:             mergedTLSCerts,
 		mutualAuthentication: mergedMtlsAttributes,
+		securityGroupIDs:     mergedSecurityGroups.List(),
 	}, nil
 }