Skip to content

Commit

Permalink
Pull request kubernetes-sigs#7: IENGOC-39: Remediate http/2 vulnerabi…
Browse files Browse the repository at this point in the history
…lity

Merge in DEL/aws-load-balancer-controller-fork from IENGOC-39 to main

* commit '3e26f86e82a5d419a7f8adfc5c95dd45984be6f4':
  IENGOC-39: Remediate more bd vulnerabilities
  IENGOC-39: Remediate bd vulnerabilities
  cut v2.6.2 release (kubernetes-sigs#3453)
  update ci e2e script for cert IDs (kubernetes-sigs#3392)
  fix test failure
  doc updates (kubernetes-sigs#3426)
  Change of text "your-cluster-name" (kubernetes-sigs#3152)
  slice init style suggestion
  whitespace
  group errors, emit one event per reconcile, requeue on failure
  don't block TGB reconciliation loop on failed SG ingress reconciliation
  fix: remove service from function args
  feat: resolve health check port name for NLB
  Expose ingress configuration options for missing backends (kubernetes-sigs#3342)
  Stricter dependency/security review
  remove unnecessary patch requests (kubernetes-sigs#3380)
  increase timeout to 2h in ci scripts
  wait for the TG to be healthy before cleanup any resource
  • Loading branch information
Dennis Rausch committed Nov 15, 2023
2 parents 4699ac4 + 3e26f86 commit a622844
Show file tree
Hide file tree
Showing 32 changed files with 477 additions and 264 deletions.
26 changes: 26 additions & 0 deletions .github/workflows/deps.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: "Dependency Review"
on: [push, pull_request, workflow_dispatch]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
with:
show-progress: false
- name: "Dependency Review"
uses: actions/dependency-review-action@v3
govulncheck:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
with:
show-progress: false
- id: govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: 1.21.3
go-version-file: go.mod
3 changes: 2 additions & 1 deletion .ko.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
defaultBaseImage: repocache.nonprod.ppops.net/docker-ecr-public-remote/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-06-06-1686078098.2
defaultBaseImage: repocache.nonprod.ppops.net/docker-ecr-public-remote/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-09-06-1694026927.2
builds:
- env:
- CGO_ENABLED=0
Expand All @@ -11,3 +11,4 @@ builds:
- -X sigs.k8s.io/aws-load-balancer-controller/pkg/version.GitVersion={{.Env.GIT_VERSION}}
- -X sigs.k8s.io/aws-load-balancer-controller/pkg/version.GitCommit={{.Env.GIT_COMMIT}}
- -X sigs.k8s.io/aws-load-balancer-controller/pkg/version.BuildDate={{.Env.BUILD_DATE}}

6 changes: 3 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))

# Image URL to use all building/pushing image targets
VERSION ?= v2.6.0
VERSION ?= v2.6.2
DOCKER_REPO ?= repocache.nonprod.ppops.net/temp-docker-local
IMG ?= ${DOCKER_REPO}/aws-load-balancer-controller:${VERSION}
# Image URL to use for builder stage in Docker build
BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:1.20.5
BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:1.21.3
# Image URL to use for base layer in Docker build
BASE_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-06-06-1686078098.2
BASE_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-09-06-1694026927.2
IMG_PLATFORM ?= linux/amd64,linux/arm64
# ECR doesn't appear to support SPDX SBOM
IMG_SBOM ?= none
Expand Down
2 changes: 1 addition & 1 deletion config/controller/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ kind: Kustomization
images:
- name: controller
newName: public.ecr.aws/eks/aws-load-balancer-controller
newTag: v2.6.0
newTag: v2.6.2
2 changes: 1 addition & 1 deletion controllers/ingress/group_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder

annotationParser := annotations.NewSuffixAnnotationParser(annotations.AnnotationPrefixIngress)
authConfigBuilder := ingress.NewDefaultAuthConfigBuilder(annotationParser)
enhancedBackendBuilder := ingress.NewDefaultEnhancedBackendBuilder(k8sClient, annotationParser, authConfigBuilder)
enhancedBackendBuilder := ingress.NewDefaultEnhancedBackendBuilder(k8sClient, annotationParser, authConfigBuilder, controllerConfig.IngressConfig.TolerateNonExistentBackendService, controllerConfig.IngressConfig.TolerateNonExistentBackendAction)
referenceIndexer := ingress.NewDefaultReferenceIndexer(enhancedBackendBuilder, authConfigBuilder, logger)
trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, controllerConfig.ClusterName)
elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, cloud.RGT(), logger)
Expand Down
10 changes: 6 additions & 4 deletions docs/deploy/configurations.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,16 +69,16 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
|aws-api-endpoints | AWS API Endpoints Config | | AWS API endpoints mapping, format: serviceID1=URL1,serviceID2=URL2 |
|aws-api-throttle | AWS Throttle Config | [default value](#default-throttle-config ) | throttle settings for AWS APIs, format: serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst |
|aws-max-retries | int | 10 | Maximum retries for AWS APIs |
|aws-region | string | [instance metadata](#instance-metadata) | AWS Region for the kubernetes cluster |
|aws-vpc-id | string | [instance metadata](#instance-metadata) | AWS VPC ID for the Kubernetes cluster |
|aws-region | string | [instance metadata](#instance-metadata) | AWS Region for the kubernetes cluster |
|aws-vpc-id | string | [instance metadata](#instance-metadata) | AWS VPC ID for the Kubernetes cluster |
|backend-security-group | string | | Backend security group id to use for the ingress rules on the worker node SG|
|cluster-name | string | | Kubernetes cluster name|
|default-ssl-policy | string | ELBSecurityPolicy-2016-08 | Default SSL Policy that will be applied to all Ingresses or Services that do not have the SSL Policy annotation |
|default-tags | stringMap | | AWS Tags that will be applied to all AWS resources managed by this controller. Specified Tags takes highest priority |
|default-target-type | string | instance | Default target type for Ingresses and Services - ip, instance |
|[disable-ingress-class-annotation](#disable-ingress-class-annotation) | boolean | false | Disable new usage of the `kubernetes.io/ingress.class` annotation |
|[disable-ingress-group-name-annotation](#disable-ingress-group-name-annotation) | boolean | false | Disallow new use of the `alb.ingress.kubernetes.io/group.name` annotation |
|disable-restricted-sg-rules | boolean | false | Disable the usage of restricted security group rules |
|disable-restricted-sg-rules | boolean | false | Disable the usage of restricted security group rules |
|enable-backend-security-group | boolean | true | Enable sharing of security groups for backend traffic |
|enable-endpoint-slices | boolean | false | Use EndpointSlices instead of Endpoints for pod endpoint and TargetGroupBinding resolution for load balancers with IP targets. |
|enable-leader-election | boolean | true | Enable leader election for the load balancer controller manager. Enabling this will ensure there is only one active controller manager |
Expand All @@ -98,9 +98,11 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
|log-level | string | info | Set the controller log level - info, debug |
|metrics-bind-addr | string | :8080 | The address the metric endpoint binds to |
|service-max-concurrent-reconciles | int | 3 | Maximum number of concurrently running reconcile loops for service |
|[sync-period](#sync-period) | duration | 10h0m0s | Period at which the controller forces the repopulation of its local object stores|
|[sync-period](#sync-period) | duration | 10h0m0s | Period at which the controller forces the repopulation of its local object stores|
|targetgroupbinding-max-concurrent-reconciles | int | 3 | Maximum number of concurrently running reconcile loops for targetGroupBinding |
|targetgroupbinding-max-exponential-backoff-delay | duration | 16m40s | Maximum duration of exponential backoff for targetGroupBinding reconcile failures |
|tolerate-non-existent-backend-service | boolean | true | Whether to allow rules which refer to backend services that do not exist |
|tolerate-non-existent-backend-action | boolean | true | Whether to allow rules which refer to backend actions that do not exist |
|watch-namespace | string | | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. |
|webhook-bind-port | int | 9443 | The TCP port the Webhook server binds to |
|webhook-cert-dir | string | /tmp/k8s-webhook-server/serving-certs | The directory that contains the server key and certificate |
Expand Down
25 changes: 15 additions & 10 deletions docs/deploy/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ The LBC is supported by AWS. Some clusters may be using the legacy "in-tree" fun
* Ensure subnets are tagged appropriately for auto-discovery to work
* For IP targets, pods must have IPs from the VPC subnets. You can configure the [`amazon-vpc-cni-k8s`](https://github.com/aws/amazon-vpc-cni-k8s#readme) plugin for this purpose.

### Additional requirements for isolated cluster:
Isolated clusters are clusters without internet access, and instead reply on VPC endpoints for all required connects.
When installing the AWS LBC in isolated clusters, you need to disable shield, waf and wafv2 via controller flags `--enable-shield=false, --enable-waf=false, --enable-wafv2=false`
### Using the Amazon EC2 instance metadata server version 2 (IMDSv2)
We recommend blocking the access to instance metadata by requiring the instance to use [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) only. For more information, please refer to the AWS guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node). If you are using the IMDSv2, set the hop limit to 2 or higher in order to allow the LBC to perform the metadata introspection.

Expand Down Expand Up @@ -87,15 +90,15 @@ Example condition for cluster name resource tag:
2. Download an IAM policy for the LBC using one of the following commands:<p>
If your cluster is in a US Gov Cloud region:
```
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy_us-gov.json
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy_us-gov.json
```
If your cluster is in a China region:
```
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy_cn.json
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy_cn.json
```
If your cluster is in any other region:
```
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy.json
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy.json
```
3. Create an IAM policy named `AWSLoadBalancerControllerIAMPolicy`. If you downloaded a different policy, replace `iam-policy` with the name of the policy that you downloaded.
Expand All @@ -121,7 +124,7 @@ Example condition for cluster name resource tag:
### Option B: Attach IAM policies to nodes
If you're not setting up IAM roles for service accounts, apply the IAM policies from the following URL at a minimum. Please be aware of the possibility that the controller permissions may be assumed by other users in a pod after retrieving the node role credentials, so the best practice would be using IRSA instead of attaching IAM policy directly.
```
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy.json
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy.json
```
The following IAM permissions subset is for those using `TargetGroupBinding` only and don't plan to use the LBC to manage security group rules:
Expand Down Expand Up @@ -155,6 +158,7 @@ Review the [worker nodes security group](https://docs.aws.amazon.com/eks/latest/
If you use [eksctl](https://eksctl.io/usage/vpc-networking/), this is the default configuration.
If you use custom networking, please refer to the [EKS Best Practices Guides](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/#use-custom-networking-when) for network configuration.
## Add controller to cluster
We recommend using the Helm chart to install the controller. The chart supports Fargate and facilitates updating the controller.
Expand All @@ -174,7 +178,8 @@ We recommend using the Helm chart to install the controller. The chart supports
```
2. If upgrading the chart via `helm upgrade`, install the `TargetGroupBinding` CRDs.
```
kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"
wget https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml
kubectl apply -f crds.yaml
```
!!!tip
Expand Down Expand Up @@ -204,7 +209,7 @@ We recommend using the Helm chart to install the controller. The chart supports
### Apply YAML
1. Download the spec for the LBC.
```
wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.6.0/v2_6_0_full.yaml
wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.6.2/v2_6_2_full.yaml
```
2. Edit the saved yaml file, go to the Deployment spec, and set the controller `--cluster-name` arg value to your EKS cluster name
```
Expand All @@ -219,7 +224,7 @@ We recommend using the Helm chart to install the controller. The chart supports
spec:
containers:
- args:
- --cluster-name=<INSERT_CLUSTER_NAME>
- --cluster-name=<your-cluster-name>
```
3. If you use IAM roles for service accounts, we recommend that you delete the `ServiceAccount` from the yaml spec. If you delete the installation section from the yaml spec, deleting the `ServiceAccount` preserves the `eksctl` created `iamserviceaccount`.
```
Expand All @@ -228,15 +233,15 @@ We recommend using the Helm chart to install the controller. The chart supports
```
4. Apply the yaml file
```
kubectl apply -f v2_6_0_full.yaml
kubectl apply -f v2_6_2_full.yaml
```
5. Optionally download the default ingressclass and ingressclass params
```
wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.6.0/v2_6_0_ingclass.yaml
wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.6.2/v2_6_2_ingclass.yaml
```
6. Apply the ingressclass and params
```
kubectl apply -f v2_6_0_ingclass.yaml
kubectl apply -f v2_6_2_ingclass.yaml
```
## Create Update Strategy
Expand Down
10 changes: 5 additions & 5 deletions docs/examples/echo_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,9 @@ In this walkthrough, you'll
1. Deploy all the echoserver resources (namespace, service, deployment)

```bash
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/examples/echoservice/echoserver-namespace.yaml &&\
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/examples/echoservice/echoserver-service.yaml &&\
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/examples/echoservice/echoserver-deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/examples/echoservice/echoserver-namespace.yaml &&\
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/examples/echoservice/echoserver-service.yaml &&\
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/examples/echoservice/echoserver-deployment.yaml
```

1. List all the resources to ensure they were created.
Expand All @@ -113,7 +113,7 @@ In this walkthrough, you'll
1. Download the echoserver ingress manifest locally.

```bash
wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/examples/echoservice/echoserver-ingress.yaml
wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/examples/echoservice/echoserver-ingress.yaml
```

1. Configure the subnets, either by add annotation to the ingress or add tags to subnets. This step is optional in lieu of auto-discovery.
Expand Down Expand Up @@ -300,7 +300,7 @@ You should get back a valid response.
follow below steps if you want to use kube2iam to provide the AWS credentials

1. configure the proper policy
The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy.json
The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy.json

1. configure the proper role and create the trust relationship
You have to find which role is associated with your K8S nodes. Once you found take note of the full arn:
Expand Down
27 changes: 27 additions & 0 deletions docs/guide/ingress/ingress_class.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,33 @@ You can use IngressClassParams to enforce settings for a set of Ingresses.
- key: idle_timeout.timeout_seconds
value: "120"
```
- with subnets.ids
```
apiVersion: elbv2.k8s.aws/v1beta1
kind: IngressClassParams
metadata:
name: awesome-class
spec:
subnets:
ids:
- subnet-xxx
- subnet-123
```
- with subnets.tags
```
apiVersion: elbv2.k8s.aws/v1beta1
kind: IngressClassParams
metadata:
name: class2048-config
spec:
subnets:
tags:
kubernetes.io/role/internal-elb:
- "1"
myKey:
- myVal0
- myVal1
```

### IngressClassParams specification

Expand Down
2 changes: 2 additions & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,5 @@ This project was formerly known as "AWS ALB Ingress Controller", we rebranded it

If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions [here](https://aws.amazon.com/security/vulnerability-reporting/) or [email AWS security directly](mailto:aws-security@amazon.com).

## Support Policy
Currently, AWS provides security updates and bug fixes to the latest available minor versions of AWS LBC. For other ad-hoc supports on older versions, please reach out through AWS support ticket.
Loading

0 comments on commit a622844

Please sign in to comment.