community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

[SecurityGroup] Resource never resolves when all ingress and egress rules use groupRef

Open jantzenallphin opened this issue 1 year ago • 0 comments

Describe the bug We are creating/grouping multiple SecurityGroups ACK objects into a single helm chart. Among these are two SecurityGroups that contain rules that reference each other via userIDGroupPairs using groupRef field. The problem we are facing is a SecurityGroup that references another SecurityGroup in both its egressRules and ingressRules will not successfully sync with no error message. The ack-ec2-controller logs only show that it recognizes it is out of sync and attempts to update the resource over and over again.

This is what the status shows. The references have resolved successfully however the resource sync status remains False forever with no indication as to why it is stuck.

status:
 conditions:
 - lastTransitionTime: "2024-10-15T15:17:00Z"
   status: "True"
   type: ACK.ReferencesResolved
 - lastTransitionTime: "2024-10-15T15:17:06Z"
   reason: ""
   status: "False"
   type: ACK.ResourceSynced

I can see the SecurityGroup is created in AWS console but the ingress and egress rulesets are empty. If I change just the egressRules to use groupID to reference the same SecurityGroup by ID it will resolve.

Steps to reproduce Create a SecurityGroup likened to this one:

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  name: jallphin02-sbx-va6-k8s-control-plane
  namespace: sbx-clusters
spec:
  description: k8s-control-plane security group rules for jallphin02-sbx-va6
  egressRules:
  - fromPort: 1025
    ipProtocol: tcp
    toPort: 65535
    userIDGroupPairs:
    - description: Allow traffic from control plane to workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  - fromPort: 443
    ipProtocol: tcp
    toPort: 443
    userIDGroupPairs:
    - description: Allow HTTPS traffic from control plane to workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  ingressRules:
  - fromPort: 443
    ipProtocol: tcp
    toPort: 443
    userIDGroupPairs:
    - description: Allow HTTPS access to control tier from workers
      groupRef:
        from:
          name: jallphin02-sbx-va6-k8s-all
      userID: <extracted>
  name: jallphin02-sbx-va6-k8s-control-plane
  vpcID: <extracted>

Expected outcome The SecurityGroup should sync to AWS as expected.

Environment

  • Kubernetes version: 1.29
  • Using EKS (yes/no), if so version? 1.29
  • AWS service targeted (S3, RDS, etc.): SecurityGroups

jantzenallphin avatar Oct 15 '24 20:10 jantzenallphin