Fix behaivour of aws-load-balancer-security-groups annotation

[Elias481]

What type of PR is this?
/kind bug

What this PR does / why we need it:
The intention of users utilizing the specified by aws-load-balancer-security-groups annotation is typically, that they want to assign an externally managed security to the load balancer and do not want Kubernetes to modify the group.
(Also see summary/fixed issues)

Which issue(s) this PR fixes:
Ensures that Security Group specified by aws-load-balancer-security-groups is not modified on setup of Load Balancer anymore.
Fixes #79723, kubernetes/cloud-provider-aws/issues/65
Redesign implementation from PR #62774
Also addresses #49445, #79279

Special notes for your reviewer:
If changing return signature of buildELBSecurityGroupList is an issue I would suggest to rename the function and add a wrapper with the old name.

Release Note

Fix handling of aws-load-balancer-security-groups annotation. Security-Groups assigned with this annotation are no longer modified by kubernetes which is the expected behaviour of most users. Also no unnecessary Security-Groups are created anymore if this annotation is used.

[k8s-ci-robot]

Welcome @Elias481!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @Elias481. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Elias481]

/assign @micahhausler

[nckturner]

/ok-to-test

[Elias481]

/test pull-kubernetes-e2e-gce-100-performance

[redradrat]

This actually addresses a quite heavy impact issue, as I understand it? It fixes the override of a loadbalancer's sg to allow incoming traffic from 0.0.0.0.

Is there anything that can be done to help move this along from the outside?

[rmt]

Ping? We are also affected by this issue. Who can approve this?

/sig aws

[k8s-ci-robot]

@rmt: The label(s) sig/aws cannot be applied, because the repository doesn't have them

Details

In response to this:

Ping? We are also affected by this issue. Who can approve this?

/sig aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[M00nF1sh]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Elias481, M00nF1sh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• staging/src/k8s.io/legacy-cloud-providers/aws/OWNERS [M00nF1sh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[M00nF1sh]

/test pull-kubernetes-e2e-gce

[Elias481]

OK fine, I updated the description a bit. So hopefully we can get the fixed version soon in our live enviroment.

[bhks]

@Elias481

We should update the release notes so that it can be added in next release.

[Elias481]

@bhagwat070919 shall I do another PR for that or how? I think it's just a short note that the behaviour that was probably expected/desired is now in place.

[ivan-sukhomlyn]

@Elias481 @bhagwat070919 Hi guys,
After this PR merging, will Kubernetes continue to create its own Security Group in case if aws-load-balancer-security-groups defined in the annotations list with custom SG?
More details are available by the link kubernetes/cloud-provider-aws#65
Thanks

[Elias481]

@ivan-sukhomlyn You are right, I forgot to mention and possibly worth to adding to description of PR und Release notes explicitly. This is of course also fixed in this turn.

[ivan-sukhomlyn]

Thanks for clarifying and your work 👍
@bhagwat070919 Maybe you have some ETA of Kubernetes 1.18 at the AWS EKS service?

[seh]

s/setupSg/setUpSG/

[bhks]

@bhagwat070919 shall I do another PR for that or how? I think it's just a short note that the behaviour that was probably expected/desired is now in place.

@Elias481 you can just update this PR Release note and it would be taken when release note is being made.

[bhks]

@Elias481 ,

Do you mind creating Cherry-pick of this PR for k8s 1.17, 1.16, 1.15 and 1.14 ?

[Elias481]

@bhagwat070919 I can do so, I think I will find some time till monday morning..

[ivan-sukhomlyn]

@Elias481 @bhagwat070919 It would be nice to have this fix in other K8S versions.

[vampirismtrueblood]

I think this issue needs to be re-opened, issue still exists with EKS v1.25,
loadBalancerSourceRanges works when creating the NLB, but updating still does not work.
Can we have this re-opened please