Add port range restriction

[oliviassss]

Issue

#1993

Description

Dynamically adjust the port range based on the minimum and maximum values for target and health check ports seen by the controller. This will make the feature work without getting input from the end user. And this PR is based on the previous PR #2205.

TGB model changes

The target group model builder generates networking rules with specific ports instead of the current nil ports. If the health check ports are different from traffic ports, additional rules get added to the TGB spec. For IP targets, the targetPort is used, for instance targets, nodeport gets used. For example, if there are two TGBs targetting node ports 31223 and 32331, backend SG sg-backend the consolidated networking rules are as follows

from sg-backend, TCP, port 31223
from sg-backend, TCP, port 32331

Networking manager

Networking manager will take the consolidated rules as input and calculate the optimized list of rules using the port ranges. The rules are grouped by the protocol and the source. Then for each matching source and protocol, calculate the min and max ports and use a port range based rule. In the above example, the optimized rule is as follows

from sg-backend, TCP, port range 31223 - 32331

In case a TGB rule doesn’t have the port specified, use 0 as the min and 65535 as the max for the affected (source, protocol).

Command line flags

Provide a command line flag --disable-restricted-sg-rules if set to true, revert to the existing behavior of using unrestricted SG rules. The default value for this flag is false.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

Hi @oliviassss. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oliviassss
To complete the pull request process, please assign kishorj after the PR has been reviewed.
You can assign the PR to them by writing /assign @kishorj in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kishorj]

/ok-to-test

[k8s-ci-robot]

@oliviassss: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Rerun command
pull-aws-load-balancer-controller-e2e-test	767d4c3	link	/test pull-aws-load-balancer-controller-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

@oliviassss: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.