Skip to content

Commit

Permalink
Provide more customization options for the service mutator webhook (#…
Browse files Browse the repository at this point in the history 
…3653)

* Provide more customization options for the service mutator webhook

* undo unintended change

* undo version changes

* use MWH boolean switch, rename MWH config map

* typo

* update readme
  • Loading branch information
@diversario
diversario authored Apr 23, 2024
1 parent 102b616 commit 807d1a2
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 6 deletions.
7 changes: 5 additions & 2 deletions helm/aws-load-balancer-controller/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ AWS Load Balancer controller manages the following AWS resources
As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes).

## Prerequisites
- Supported Kubernetes Versions
- Supported Kubernetes Versions
- Chart version v1.5.0+ requires Kubernetes 1.22+
- Chart version v1.4.0+ requires Kubernetes 1.19+
- Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21
Expand Down Expand Up @@ -266,7 +266,10 @@ The default values set by the application itself can be confirmed [here](https:/
| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` |
| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` |
| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` |
| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` |
| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` |
| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` |
| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` |
| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` |
| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` |
| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None |
| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` |
12 changes: 10 additions & 2 deletions helm/aws-load-balancer-controller/templates/webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /mutate-v1-service
failurePolicy: Fail
failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }}
name: mservice.elbv2.k8s.aws
admissionReviewVersions:
- v1beta1
Expand All @@ -75,13 +75,21 @@ webhooks:
operator: NotIn
values:
- {{ include "aws-load-balancer-controller.name" . }}
{{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }}
{{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }}
{{- end }}

{{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }}
matchLabels:
{{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }}
{{- end }}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
{{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }}
resources:
- services
sideEffects: None
Expand Down
22 changes: 22 additions & 0 deletions helm/aws-load-balancer-controller/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -330,3 +330,25 @@ clusterSecretsPermissions:
# ingressClassConfig contains configurations specific to the ingress class
ingressClassConfig:
default: false

# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
# should deprecate this in favor of serviceMutatorWebhook.enabled
enableServiceMutatorWebhook: true

# serviceMutatorWebhook contains configurations specific to the service mutator webhook
serviceMutatorWebhookConfig:
# whether or not to fail the service creation if the webhook fails
failurePolicy: Fail
# limit webhook to only mutate services matching the objectSelector
objectSelector:
matchExpressions: []
# - key: <key>
# operator: <operator>
# values:
# - <value>
matchLabels: {}
# key: value
# which operations trigger the webhook
operations:
- CREATE
# - UPDATE
22 changes: 20 additions & 2 deletions helm/aws-load-balancer-controller/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ webhookTLS:
cert:
key:

# array of namespace selectors for the webhook
# array of namespace selectors for the pod mutator webhook
webhookNamespaceSelectors:
# - key: elbv2.k8s.aws/pod-readiness-gate-inject
# operator: In
Expand Down Expand Up @@ -350,7 +350,7 @@ controllerConfig:
# NLBHealthCheckAdvancedConfig: true
# ALBSingleSubnet: false

certDiscovery:
certDiscovery:
allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope

# objectSelector for webhook
Expand Down Expand Up @@ -389,6 +389,24 @@ ingressClassConfig:
# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
enableServiceMutatorWebhook: true

# serviceMutatorWebhook contains configurations specific to the service mutator webhook
serviceMutatorWebhookConfig:
# whether or not to fail the service creation if the webhook fails
failurePolicy: Fail
# limit webhook to only mutate services matching the objectSelector
objectSelector:
matchExpressions: []
# - key: <key>
# operator: <operator>
# values:
# - <value>
matchLabels: {}
# key: value
# which operations trigger the webhook
operations:
- CREATE
# - UPDATE

# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs.
serviceTargetENISGTags:

Expand Down

0 comments on commit 807d1a2

Please sign in to comment.