Skip to content

azure: populate ApplicationSecurityGroups field in the new IPConfigurations #15194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 12, 2021
Merged

azure: populate ApplicationSecurityGroups field in the new IPConfigurations #15194

merged 1 commit into from
Mar 12, 2021

Conversation

AnishShah
Copy link
Contributor

@AnishShah AnishShah commented Mar 4, 2021
edited
Loading

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Thanks for contributing!

Azure wants all IPConfigurations to have the same
ApplicationSecurityGroups. So if the primary IPConfiguration is already
assigned an ApplicationSecurityGroup, adding a new IPConfiguration
without any ApplicationSecurityGroup fails. So we should populate
ApplicationSecurityGroups field that is the same as ASG of other
IPConfiguration.

Fix a bug that was causing Azure IPAM to not work when ApplicationSecurityGroups were attached to IPConfigurations of a NIC.

@AnishShah AnishShah requested a review from a team as a code owner March 4, 2021 03:44
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 4, 2021
@AnishShah AnishShah requested a review from ti-mo March 4, 2021 03:44
@aanm aanm added the release-note/misc This PR makes changes that have no direct user impact. label Mar 4, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 4, 2021
ti-mo
ti-mo requested changes Mar 5, 2021
View reviewed changes
Copy link
Contributor

@ti-mo ti-mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Code looks good, small documentation nit. Could you also share how you found out about this or how we can repro?

@AnishShah
azure: populate ApplicationSecurityGroups field in the new IPConfigs
2d8c68d 
Azure wants all IPConfigurations to have the same
ApplicationSecurityGroups. So if the primary IPConfiguration is already
assigned an ApplicationSecurityGroup, adding a new IPConfiguration
without any ApplicationSecurityGroup fails. So we should populate
ApplicationSecurityGroups field that is the same as ASG of other
IPConfiguration.

Signed-off-by: Anish Shah <anishshah@google.com>
@AnishShah
Copy link
Contributor Author

Could you also share how you found out about this or how we can repro?

Unfortunately, I couldn't find any Azure documentation on this. Also, AKS by default doesn't assign any ASG/NSG to the IPConfiguration/NIC on creation and so it would be hard to reproduce this in an AKS cluster.

We have a self-managed kubernetes cluster on Azure where we assign ASG to the primary IPConfiguration of the NIC during VMSS Nodepool creation. So when we deployed Cilium, we see errors in cilium-operator-azure logs -

unable to update virtualmachinescaleset: All IPConfigurations on a Network Interface should reference the same set of Application Security Groups. IPConfiguration Cilium-1 references ASG(s) , wheras IPConfiguration /subscriptions/$SUB_ID/resourceGroups/$RG_ID/providers/Microsoft.Compute/virtualMachineScaleSets/aks-ng3-34239724-vmss/updateGroups/894ddb7a-15af-4726-816d-cd5592ce3df4/networkInterfaceConfigurations/aks-ng3-34239724-vmss/ipConfigurations/default references ASG(s) /subscriptions/$SUB_ID/resourceGroups/$RG_ID/providers/Microsoft.Network/applicationSecurityGroups/nodepool.

@AnishShah
Copy link
Contributor Author

Also, I feel this needs a backport to 1.9 (and 1.8 too maybe?) as this is a bug.

ti-mo
ti-mo approved these changes Mar 8, 2021
View reviewed changes
Copy link
Contributor

@ti-mo ti-mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good!

@ti-mo ti-mo requested review from a team and twpayne and removed request for a team March 8, 2021 10:51
@ti-mo
Copy link
Contributor

ti-mo commented Mar 8, 2021

Added @twpayne as a reviewer since this might be of interest on the IPAM side.

@aanm What do you think regarding backporting?

@aanm aanm added release-note/bug This PR fixes an issue in a previous release of Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels Mar 8, 2021
@AnishShah
Copy link
Contributor Author

kind ping @twpayne

twpayne
twpayne approved these changes Mar 11, 2021
View reviewed changes
Copy link
Contributor

@twpayne twpayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @AnishShah

@twpayne twpayne added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 11, 2021
@aanm aanm added dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs and removed dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs labels Mar 11, 2021
@kkourt kkourt merged commit 272c1fe into cilium:master Mar 12, 2021
@kaworu kaworu mentioned this pull request Mar 12, 2021
Merged
@kaworu kaworu mentioned this pull request Mar 12, 2021
Merged
@AnishShah AnishShah deleted the asg branch March 12, 2021 15:58
This was referenced Apr 20, 2021
Merged
Merged
This was referenced Apr 28, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ti-mo ti-mo ti-mo approved these changes

+1 more reviewer

@twpayne twpayne twpayne approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@twpayne twpayne

@ti-mo ti-mo

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@AnishShah @ti-mo @twpayne @kaworu @kkourt @nebril @aanm