inboud_security_groups

Add referencing existing security groups for inbound traffic Add referencing existing security groups for inbound traffic Add inboud security groups Add inboud security group Add annotation Add annotations Add annotationsss
kubernetes-sigs · Jan 9, 2025 · 4803ea9 · 4803ea9
1 parent 9e2cbe7
commit 4803ea9
Show file tree

Hide file tree

Showing 7 changed files with 301 additions and 84 deletions.
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24
         ```
+- <a name="inbound-security-groups">`alb.ingress.kubernetes.io/inbound-security-groups`</a> specifies the SecurtityGroups that are allowed to access LoadBalancer.
+
+    !!!note "Merge Behavior"
+        `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port.
+
+        - the `inbound-security-groups` will only impact the ports defined for that Ingress.
+        - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress.
+
+    !!!warning ""
+        this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified.
+
+    !!!tip ""
+        Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2
+        ```
 
 - <a name="security-group-prefix-lists">`alb.ingress.kubernetes.io/security-group-prefix-lists`</a> specifies the managed prefix lists that are allowed to access LoadBalancer.
 

diff --git a/june.py b/june.py
@@ -0,0 +1,25 @@
+import boto3
+
+class S3Manager:
+    def __init__(self, region_name='ap-northeast-2'):
+        self.session = boto3.Session(region_name=region_name)
+        self.s3 = self.session.resource('s3')
+
+    def upload_to_s3(self, bucket_name, file_path, s3_key):
+        try:
+            self.s3.Bucket(bucket_name).upload_file(file_path, s3_key)
+            print(f"파일 업로드 완료: {file_path} -> s3://{bucket_name}/{s3_key}")
+        except Exception as e:
+            print(f"파일 업로드 실패: {str(e)}")
+
+def main():
+    s3_manager = S3Manager()
+
+    bucket_name = 'robin'
+    file_path = '/path/to/file.txt'  
+    s3_key = 'uploaded-file.txt' 
+
+    s3_manager.upload_to_s3(bucket_name, file_path, s3_key)
+
+if __name__ == "__main__":
+    main()
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -1,53 +1,64 @@
 package annotations
 
 const (
+	// AnnotationCheckPoint is the annotation used to store a checkpoint for resources.
+	// It contains an opaque value that represents the last known reconciled state.
+	AnnotationCheckPoint = "elbv2.k8s.aws/checkpoint"
+
+	// AnnotationCheckPointTimestamp is the annotation used to store the last checkpointed time. The value is stored in seconds.
+	AnnotationCheckPointTimestamp = AnnotationCheckPoint + "-timestamp"
+
 	// IngressClass
 	IngressClass = "kubernetes.io/ingress.class"
 
 	AnnotationPrefixIngress = "alb.ingress.kubernetes.io"
 	// Ingress annotation suffixes
-	IngressSuffixLoadBalancerName             = "load-balancer-name"
-	IngressSuffixGroupName                    = "group.name"
-	IngressSuffixGroupOrder                   = "group.order"
-	IngressSuffixTags                         = "tags"
-	IngressSuffixIPAddressType                = "ip-address-type"
-	IngressSuffixScheme                       = "scheme"
-	IngressSuffixSubnets                      = "subnets"
-	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
-	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
-	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
-	IngressSuffixWAFACLID                     = "waf-acl-id"
-	IngressSuffixWebACLID                     = "web-acl-id" // deprecated, use "waf-acl-id" instead.
-	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
-	IngressSuffixSecurityGroups               = "security-groups"
-	IngressSuffixListenPorts                  = "listen-ports"
-	IngressSuffixSSLRedirect                  = "ssl-redirect"
-	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
-	IngressSuffixCertificateARN               = "certificate-arn"
-	IngressSuffixSSLPolicy                    = "ssl-policy"
-	IngressSuffixTargetType                   = "target-type"
-	IngressSuffixBackendProtocol              = "backend-protocol"
-	IngressSuffixBackendProtocolVersion       = "backend-protocol-version"
-	IngressSuffixTargetGroupAttributes        = "target-group-attributes"
-	IngressSuffixHealthCheckPort              = "healthcheck-port"
-	IngressSuffixHealthCheckProtocol          = "healthcheck-protocol"
-	IngressSuffixHealthCheckPath              = "healthcheck-path"
-	IngressSuffixHealthCheckIntervalSeconds   = "healthcheck-interval-seconds"
-	IngressSuffixHealthCheckTimeoutSeconds    = "healthcheck-timeout-seconds"
-	IngressSuffixHealthyThresholdCount        = "healthy-threshold-count"
-	IngressSuffixUnhealthyThresholdCount      = "unhealthy-threshold-count"
-	IngressSuffixSuccessCodes                 = "success-codes"
-	IngressSuffixAuthType                     = "auth-type"
-	IngressSuffixAuthIDPCognito               = "auth-idp-cognito"
-	IngressSuffixAuthIDPOIDC                  = "auth-idp-oidc"
-	IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request"
-	IngressSuffixAuthScope                    = "auth-scope"
-	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
-	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
-	IngressSuffixTargetNodeLabels             = "target-node-labels"
-	IngressSuffixManageSecurityGroupRules     = "manage-backend-security-group-rules"
-	IngressSuffixMutualAuthentication         = "mutual-authentication"
-	IngressSuffixSecurityGroupPrefixLists     = "security-group-prefix-lists"
+	IngressSuffixLoadBalancerName                = "load-balancer-name"
+	IngressSuffixGroupName                       = "group.name"
+	IngressSuffixGroupOrder                      = "group.order"
+	IngressSuffixTags                            = "tags"
+	IngressSuffixIPAddressType                   = "ip-address-type"
+	IngressSuffixScheme                          = "scheme"
+	IngressSuffixSubnets                         = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool           = "customer-owned-ipv4-pool"
+	IngressSuffixLoadBalancerAttributes          = "load-balancer-attributes"
+	IngressSuffixWAFv2ACLARN                     = "wafv2-acl-arn"
+	IngressSuffixWAFACLID                        = "waf-acl-id"
+	IngressSuffixWebACLID                        = "web-acl-id" // deprecated, use "waf-acl-id" instead.
+	IngressSuffixShieldAdvancedProtection        = "shield-advanced-protection"
+	IngressSuffixSecurityGroups                  = "security-groups"
+	IngressSuffixListenPorts                     = "listen-ports"
+	IngressSuffixSSLRedirect                     = "ssl-redirect"
+	IngressSuffixInboundCIDRs                    = "inbound-cidrs"
+	IngressSuffixCertificateARN                  = "certificate-arn"
+	IngressSuffixSSLPolicy                       = "ssl-policy"
+	IngressSuffixTargetType                      = "target-type"
+	IngressSuffixBackendProtocol                 = "backend-protocol"
+	IngressSuffixBackendProtocolVersion          = "backend-protocol-version"
+	IngressSuffixTargetGroupAttributes           = "target-group-attributes"
+	IngressSuffixHealthCheckPort                 = "healthcheck-port"
+	IngressSuffixHealthCheckProtocol             = "healthcheck-protocol"
+	IngressSuffixHealthCheckPath                 = "healthcheck-path"
+	IngressSuffixHealthCheckIntervalSeconds      = "healthcheck-interval-seconds"
+	IngressSuffixHealthCheckTimeoutSeconds       = "healthcheck-timeout-seconds"
+	IngressSuffixHealthyThresholdCount           = "healthy-threshold-count"
+	IngressSuffixUnhealthyThresholdCount         = "unhealthy-threshold-count"
+	IngressSuffixSuccessCodes                    = "success-codes"
+	IngressSuffixAuthType                        = "auth-type"
+	IngressSuffixAuthIDPCognito                  = "auth-idp-cognito"
+	IngressSuffixAuthIDPOIDC                     = "auth-idp-oidc"
+	IngressSuffixAuthOnUnauthenticatedRequest    = "auth-on-unauthenticated-request"
+	IngressSuffixAuthScope                       = "auth-scope"
+	IngressSuffixAuthSessionCookie               = "auth-session-cookie"
+	IngressSuffixAuthSessionTimeout              = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels                = "target-node-labels"
+	IngressSuffixManageSecurityGroupRules        = "manage-backend-security-group-rules"
+	IngressSuffixMutualAuthentication            = "mutual-authentication"
+	IngressSuffixSecurityGroupPrefixLists        = "security-group-prefix-lists"
+	IngressSuffixlsAttsAnnotationPrefix          = "listener-attributes"
+	IngressLBSuffixMultiClusterTargetGroup       = "multi-cluster-target-group"
+	IngressSuffixLoadBalancerCapacityReservation = "minimum-load-balancer-capacity"
+	IngressSuffixInboundSecurityGroups           = "inbound-security-groups"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
@@ -88,4 +99,9 @@ const (
 	SvcLBSuffixManageSGRules                             = "aws-load-balancer-manage-backend-security-group-rules"
 	SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic = "aws-load-balancer-inbound-sg-rules-on-private-link-traffic"
 	SvcLBSuffixSecurityGroupPrefixLists                  = "aws-load-balancer-security-group-prefix-lists"
-)
+	SvcLBSuffixlsAttsAnnotationPrefix                    = "aws-load-balancer-listener-attributes"
+	SvcLBSuffixMultiClusterTargetGroup                   = "aws-load-balancer-multi-cluster-target-group"
+	ScvLBSuffixEnablePrefixForIpv6SourceNat              = "aws-load-balancer-enable-prefix-for-ipv6-source-nat"
+	ScvLBSuffixSourceNatIpv6Prefixes                     = "aws-load-balancer-source-nat-ipv6-prefixes"
+	SvcLBSuffixLoadBalancerCapacityReservation           = "aws-load-balancer-minimum-load-balancer-capacity"
+)
diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go
@@ -107,17 +107,25 @@ type listenPortConfig struct {
 	sslPolicy            *string
 	tlsCerts             []string
 	mutualAuthentication *elbv2model.MutualAuthenticationAttributes
+	securityGroupIDs     []string
 }
 
 func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) {
 	explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
 	explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
 	var prefixListIDs []string
 	t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
+
+	securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
 	if err != nil {
 		return nil, err
 	}
+
 	mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing)
 	if err != nil {
 		return nil, err
@@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 	listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts))
 	for port, protocol := range listenPorts {
 		cfg := listenPortConfig{
-			protocol:       protocol,
-			inboundCIDRv4s: inboundCIDRv4s,
-			inboundCIDRv6s: inboundCIDRV6s,
-			prefixLists:    prefixListIDs,
+			protocol:         protocol,
+			inboundCIDRv4s:   inboundCIDRv4s,
+			inboundCIDRv6s:   inboundCIDRV6s,
+			prefixLists:      prefixListIDs,
+			securityGroupIDs: securityGroupIDs,
 		}
 		if protocol == elbv2model.ProtocolHTTPS {
 			if len(explicitTLSCertARNs) == 0 {
@@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing
 	return portAndProtocols, nil
 }
 
+func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) {
+	var rawSecurityGroups []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists {
+		return nil, nil
+	}
+
+	securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups)
+	if err != nil {
+		return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err)
+	}
+
+	return securityGroupIDs, nil
+}
+
 func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) {
 	var rawInboundCIDRs []string
 	fromIngressClassParams := false

diff --git a/pkg/ingress/model_build_managed_sg.go b/pkg/ingress/model_build_managed_sg.go
@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co
 				},
 			})
 		}
+		for _, sgID := range cfg.securityGroupIDs {
+			permissions = append(permissions, ec2model.IPPermission{
+				IPProtocol: "tcp",
+				FromPort:   awssdk.Int64(port),
+				ToPort:     awssdk.Int64(port),
+				UserIDGroupPairs: []ec2model.UserIDGroupPair{
+					{
+						GroupID: sgID,
+					},
+				},
+			})
+		}
 	}
 	return permissions
 }
diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go
@@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 	var mergedMtlsAttributesProvider *types.NamespacedName
 	var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
 
+	var mergedSecurityGroupProvider *types.NamespacedName
+	mergedSecurityGroups := sets.NewString()
+
 	for _, cfg := range listenPortConfigs {
 		if mergedProtocolProvider == nil {
 			mergedProtocolProvider = &cfg.ingKey
@@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 			}
 		}
 
+		if len(cfg.listenPortConfig.securityGroupIDs) != 0 {
+			cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...)
+			if mergedSecurityGroupProvider == nil {
+				mergedSecurityGroupProvider = &cfg.ingKey
+				mergedSecurityGroups = cfgSecurityGroups
+			} else if !mergedSecurityGroups.Equal(cfgSecurityGroups) {
+				return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v",
+					*mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List())
+			}
+		}
+
 		if cfg.listenPortConfig.sslPolicy != nil {
 			if mergedSSLPolicyProvider == nil {
 				mergedSSLPolicyProvider = &cfg.ingKey
@@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		sslPolicy:            mergedSSLPolicy,
 		tlsCerts:             mergedTLSCerts,
 		mutualAuthentication: mergedMtlsAttributes,
+		securityGroupIDs:     mergedSecurityGroups.List(),
 	}, nil
 }