Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for custom egress rules #1299

Merged
merged 2 commits into from
Apr 13, 2021
Merged

Add support for custom egress rules #1299

merged 2 commits into from
Apr 13, 2021

Conversation

CecileRobertMichon
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon commented Apr 9, 2021
edited
Loading

What type of PR is this?

What this PR does / why we need it:

  • Renames ingressRule to securityRules (note there was a missing s in the field name which represented a list of ingress rules) to be more consistent with Azure naming, and to include rules in both directions
  • Adds a direction field to SecurityRule which can be either Inbound or Outbound. Defaults to Inbound to preserve existing behavior.

Feature request came out of this slack thread

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes partly #618

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Rename ingressRule to securityRules
Add optional direction field to securityRules, defaults to "Inbound"

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 9, 2021
@k8s-ci-robot k8s-ci-robot requested review from cpanato and devigned April 9, 2021 21:21
@k8s-ci-robot k8s-ci-robot added area/provider/azure Issues or PRs related to azure provider sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 9, 2021
@CecileRobertMichon CecileRobertMichon force-pushed the egress-rules branch 3 times, most recently from eb98beb to 2a3e814 Compare April 9, 2021 23:47
cpanato
cpanato approved these changes Apr 10, 2021
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 10, 2021
whites11
whites11 approved these changes Apr 10, 2021
View reviewed changes
Copy link
Contributor

@whites11 whites11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth LGTM

shysank
shysank reviewed Apr 12, 2021
View reviewed changes
api/v1alpha3/azurecluster_conversion.go Show resolved Hide resolved
api/v1alpha3/azurecluster_conversion.go Outdated Show resolved Hide resolved
api/v1alpha4/azurecluster_validation.go Outdated Show resolved Hide resolved
api/v1alpha3/azurecluster_conversion.go Outdated Show resolved Hide resolved
api/v1alpha3/azurecluster_conversion.go Show resolved Hide resolved
docs/book/src/topics/custom-vnet.md Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 12, 2021
@CecileRobertMichon
Copy link
Contributor Author

/hold for squash

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 12, 2021
shysank
shysank reviewed Apr 13, 2021
View reviewed changes
api/v1alpha3/azurecluster_conversion.go Outdated
Comment on lines 67 to 74
if restoredSecurityRule.Direction == infrav1alpha4.SecurityRuleDirectionInbound {
// For inbound rules, we add back the restored direction if the rule still exists.
for l, dstSecurityRule := range dstSubnet.SecurityGroup.SecurityRules {
if dstSecurityRule.Name == restoredSecurityRule.Name {
dst.Spec.NetworkSpec.Subnets[j].SecurityGroup.SecurityRules[l].Direction = restored.Spec.NetworkSpec.Subnets[i].SecurityGroup.SecurityRules[k].Direction
break
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this logic redundant since inbound rules will get auto converted (now that you've set direction as well in line 263)? IIUC, I think we can simplify this to just handle outbound rules:

if restoredSecurityRule.Direction == infrav1alpha4.SecurityRuleDirectionOutbound {
  restoredOutboundRules = append(restoredOutboundRules, restoredSecurityRule)
}

wdyt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right! I had actually thought of that earlier and thought it would break the Fuzzy test because the directions set in the fuzzer are random strings. But, what I ended up doing is:

if restoredSecurityRule.Direction != infrav1alpha4.SecurityRuleDirectionInbound {
  restoredOutboundRules = append(restoredOutboundRules, restoredSecurityRule)
}

Which makes the Fuzzer happy, and, IMO, is more logically correct because the condition for "dropping" a rule in v1alpha4 --> v1alpha3 conversion is "if direction != Inbound" (we only include rules where direction == Ibound). So it makes sense to restore all rules that aren't inbound since they would all have been dropped theoretically speaking. And in the unlikely event that we need to add a new direction in v1alpha4 (for example, "both") we don't need to change the existing conversion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 checking for != inbound instead of ==outbound, more future proof!

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Apr 13, 2021
edited
Loading

@CecileRobertMichon: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-cluster-api-provider-azure-apidiff 715d5fd link /test pull-cluster-api-provider-azure-apidiff

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@CecileRobertMichon
Copy link
Contributor Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 13, 2021
@shysank
Copy link
Contributor

shysank commented Apr 13, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 13, 2021
@CecileRobertMichon
Copy link
Contributor Author

/assign @devigned

devigned
devigned approved these changes Apr 13, 2021
View reviewed changes
Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/appove

Looks great! Always love seeing docs updates with a PR 😎.

@CecileRobertMichon
Copy link
Contributor Author

/approve

:D

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 13, 2021
@k8s-ci-robot k8s-ci-robot merged commit f8cbcda into kubernetes-sigs:master Apr 13, 2021
@k8s-ci-robot k8s-ci-robot added this to the v0.5.0 milestone Apr 13, 2021
@CecileRobertMichon CecileRobertMichon mentioned this pull request May 27, 2021
Closed
@CecileRobertMichon CecileRobertMichon deleted the egress-rules branch February 17, 2023 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shysank shysank shysank left review comments

@cpanato cpanato cpanato approved these changes

@whites11 whites11 whites11 approved these changes

@devigned devigned devigned approved these changes

Assignees

@devigned devigned

@cpanato cpanato

@shysank shysank

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging this pull request may close these issues.
6 participants
@CecileRobertMichon @k8s-ci-robot @shysank @devigned @whites11 @cpanato