Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Implement allowAllInClusterTraffic flag #998

Merged
merged 2 commits into from
Sep 22, 2021
Merged

✨ Implement allowAllInClusterTraffic flag #998

merged 2 commits into from
Sep 22, 2021

Conversation

mkjpryor
Copy link
Contributor

What this PR does / why we need it:

This PR implements an additional flag that allows the creation of managed security groups that permit all in-cluster traffic. Note that all traffic from outside the cluster (except API server and NodePort services) is still blocked.

This makes it much easier to deploy a CNI other than Calico while still using managed security groups.

In the future, we could look at maintaining rules for multiple CNIs which can be selected from, or allowing users to specify custom rules for the managed security groups. However I think this represents a good catch-all.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #995

Special notes for your reviewer:

  1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • if necessary:
    • includes documentation
    • adds unit tests

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 15, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @mkjpryor. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 15, 2021
@netlify
Copy link

netlify bot commented Sep 15, 2021
edited
Loading

✔️ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

🔨 Explore the source changes: 614ad18

🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/614a0922e4ebdc0007e9088c

😎 Browse the preview: https://deploy-preview-998--kubernetes-sigs-cluster-api-openstack.netlify.app

@tobiasgiese
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 15, 2021
@jichenjc
Copy link
Contributor

/lgtm

thanks for the PR ~
I think it's a reasonable change, might need follow up on doc/template etc

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 16, 2021
@mkjpryor mkjpryor mentioned this pull request Sep 16, 2021
Closed
@hidekazuna
Copy link
Contributor

/approve

I want to hear other reviewer's opinion so hold for a while.

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 17, 2021
@tobiasgiese
Copy link
Member

tobiasgiese commented Sep 17, 2021
edited
Loading

I like this feature 👍🏻
And like @jichenjc already mentioned, a brief follow up in the docs would be helpful.

Further, you could maybe implement an e2e test to verify the connectivity.

/lgtm
/approve

@mkjpryor
Copy link
Contributor Author

mkjpryor commented Sep 17, 2021
edited
Loading

@tobiasgiese

Do you want the tests/docs for this PR? The docs should be super-quick. I actually think the current E2E tests would pass if we set this flag to true in the test manifests, because as far as I can see there is no test that checks specifically for Calico connectivity either (other than that the cluster can start). I suppose the test to add would be set the flag and use a different CNI.

@tobiasgiese
Copy link
Member

@tobiasgiese

Do you want the tests/docs for this PR? The docs should be super-quick. I actually think the current E2E tests would pass if we set this flag to true in the test manifests, because as far as I can see there is no test that checks specifically for Calico connectivity either (other than that the cluster can start). I suppose the test to add would be set the flag and use a different CNI.

You can add the docs to this PR, sure.
Regarding the e2e tests: I think it's enough to just enable AllowAllInClusterTraffic in one of the e2e templates to verify that the CNI is working. I thought about some connectivity tests, but I think that's not necessary (or a bit overengineered).

@seanschneeweiss
Copy link
Contributor

Great addition to make the use of CAPO and initial setup easier.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hidekazuna, mkjpryor, seanschneeweiss, tobiasgiese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 21, 2021
@mkjpryor
Copy link
Contributor Author

Added some docs and set the flag in one of the E2E test manifests which still pass.

Let me know ASAP if there is anything else this needs to be merged.

@jichenjc
Copy link
Contributor

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 21, 2021
@k8s-ci-robot k8s-ci-robot merged commit 7a9b9d1 into kubernetes-sigs:master Sep 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hidekazuna hidekazuna Awaiting requested review from hidekazuna

@jichenjc jichenjc Awaiting requested review from jichenjc

Assignees

@jichenjc jichenjc

@tobiasgiese tobiasgiese

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ability to specify security group rules for CNIs other than Calico
6 participants
@mkjpryor @k8s-ci-robot @tobiasgiese @jichenjc @hidekazuna @seanschneeweiss