Skip to content

✨ Filter out inbound rules added by external controllers, like the AWS LB controller, when reconciling worker node sg #640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-2.8
Choose a base branch
from
Open

✨ Filter out inbound rules added by external controllers, like the AWS LB controller, when reconciling worker node sg #640

wants to merge 1 commit into from
+38 −1

Conversation

@fiunchinho
Copy link
Member

@fiunchinho fiunchinho commented Nov 18, 2025

@fiunchinho
Filter out inbound rules added by external controllers, like the AWS …
aebfe03 
…LB controller, when reconciling worker node sg
@fiunchinho fiunchinho self-assigned this Nov 18, 2025
@fiunchinho fiunchinho moved this to Blocked / Waiting ⛔️ in Roadmap Nov 20, 2025
@fiunchinho fiunchinho changed the title Filter out inbound rules added by external controllers, like the AWS LB controller, when reconciling worker node sg ✨ Filter out inbound rules added by external controllers, like the AWS LB controller, when reconciling worker node sg Nov 20, 2025
AndiDog
AndiDog requested changes Nov 21, 2025
View reviewed changes
pkg/cloud/services/securitygroup/securitygroups.go

// Filter out rules managed by external controllers (e.g., AWS Load Balancer Controller)
// These rules should not be revoked by CAPA as they are managed by other components.
current := filterIgnoredIngressRules(sg.IngressRules)
Copy link

@AndiDog AndiDog Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable name now isn't descriptive of its content anymore. Let's please use re-assign with the new meaning, or rename:

Suggested change
current := filterIgnoredIngressRules(sg.IngressRules)
currentFiltered := filterIgnoredIngressRules(sg.IngressRules)

But actually, I think the below comment is better for understanding the function flow...

pkg/cloud/services/securitygroup/securitygroups.go
// Duplicate rules with multiple cidr blocks/source security groups so that we are comparing similar sets.
want := expandIngressRules(specRules)

toRevoke := current.Difference(want)
Copy link

@AndiDog AndiDog Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of the above, I would like the filtering to be done here, since what we want to do is not delete those rules, and this is the code that does exactly that:

Suggested change
// Do not revoke rules managed by external controllers (e.g., AWS Load Balancer Controller).
toRevoke := filterIgnoredIngressRules(current.Difference(want))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndiDog AndiDog AndiDog requested changes

@iuriaranda iuriaranda iuriaranda approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

@fiunchinho fiunchinho

Labels

None yet

Projects

Roadmap
Status: Blocked / Waiting ⛔️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fiunchinho @iuriaranda @AndiDog