Container Load Balancer - Network Security Group (NSG)

[georgeedward2000]

What type of PR is this?

/kind feature

What this PR does / why we need it:

For a container load balancer (CLB) with floating IP disabled, the Network Security Group (NSG) must allow traffic to dynamic pod IPs. To manage this:

• Allow Rule for Pod Subnet: Configure the NSG to allow traffic from the entire pod subnet of the managed cluster, accommodating dynamic pod IPs.
• Backend Pool Configuration: Ensure the NSG rules permit traffic to the pod IPs in the backend pool.
  This setup ensures secure and efficient communication with the pod backend pool.
• Unit Tests

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added the ability to set the type of backend pool to PodIP. 
This action allows the Load balancer attached to the service to route traffic directly to the containers, 
instead of routing to AKS nodes and then AKS node routing it to the PODs hosting the service.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[linux-foundation-easycla]

• ❌ - login: @georgeedward2000 / name: George Edward Nechitoaia . The commit (2ff6f2d, 66de73a, 329464c, 182d11d, 3f0f834, 9e334c0, 8e0ad77, 056ae46, 873212a, f841903, 90d3039, 9141356) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[k8s-ci-robot]

Welcome @georgeedward2000!

It looks like this is your first PR to kubernetes-sigs/cloud-provider-azure 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cloud-provider-azure has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @georgeedward2000. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kartickmsft]

For POD IP based backendpool, we are not populating the POD IPs in the NSG. Rather, the POD subnet. So, we could skip GetBackendPrivateIPs for POD IP based Backend pool.

[georgeedward2000]

This is part of the initial flow - node ip based backendpool

It is part of the block that is on the else branch of :
if az.IsLBBackendPoolTypePodIP() {
} else {
// HERE
}

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: georgeedward2000, kartickmsft
Once this PR has been reviewed and has the lgtm label, please assign nilo19 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[david-kow]

Can podcidrs change during cluster operations (eg. adding new node pool)? If yes, then do we need to handle this differently to account for potential new cidrs?

[georgeedward2000]

From what I understand, the pod subnet (hence the cidr) is set during cluster's deployment and cannot be updated during its lifetime. Please confirm @kartickmsft

[david-kow]

I think that can happen when completely new node pool is added: https://learn.microsoft.com/en-us/azure/aks/create-node-pools#add-a-node-pool-with-a-unique-subnet

[kartickmsft]

POD subnet can be newly configured for a new nodepool for Azure CNI Dynamic IP allocation and Enhanced subnet option (https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation#adding-node-pool).
So, yeah, we need to handle it differently. As per my understanding, cloud-provider doesn't get any notification about nodepool addition/deletion. If this understanding is correct, maybe reading PODCIDRs each time maybe the only option.

[feiskyer]

yes, it may change. We'd need to figure out a way to get notified on such changes

[feiskyer]

If this understanding is correct, maybe reading PODCIDRs each time maybe the only option.

This may be not enough as there may be down times when new IPs are picked while they are blocked by NSG.

[david-kow]

Can you add some details about the change in the PR description?

[georgeedward2000]

updated the PR description

[feiskyer]

@georgeedward2000 Thanks for the contribution. Could you sign CLA?

[feiskyer]

And could you use the template (the template would show when you open the PR) and fill the template contents (including release notes information together with what this PR does)?

/kind feature

[feiskyer]

As discussed, there is a security limitation of current design, please also add it as comments and TODOs.

[feiskyer]

Generally, this would block the security boundary of the Kubernetes cluster. The cluster identity should not have the permission to manage itself.

[feiskyer]

let's use new cloud config options and ask the provisioning service (e.g. AKS or capz) to setup the CIDRs on changing.

[feiskyer]

As commented, let's remove this option and ask provisioning service to set the PodCIDRs

[feiskyer]

For extensibility, let's use LIST here?

[feiskyer]

Could you also add a message to say all Pod CIDR would be opened to internet by default?

and add a TODO comment to improve the security later?

[feiskyer]

Let's also bake some tests.

/ok-to-test

[k8s-ci-robot]

Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository.
Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nilo19]

/label tide/merge-method-squash