search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.93k stars 1.46k forks source link

ALB/Target Group/Security Group are being deleted right after being created when adding a new Ingress with no error message #3177

Closed vduplessis-stonal closed 1 year ago

vduplessis-stonal commented 1 year ago

Describe the bug I am currently trying to migrate from nginx ingress controller to LB ingress controller with ALB. I am trying to deploy a simple whoami service to test the ingress, which is as follow:

apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: whoami
  labels:
    app: whoami
spec:
  ports:
  - port: 80
    protocol: TCP
  type: NodePort
  selector:
    app: whoami

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami
  namespace: whoami
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-3:[account]:certificate/[id]
    external-dns.alpha.kubernetes.io/hostname: "*.test.eks-sandbox.stonal.io"
spec:
  ingressClassName: alb
  rules:
  - host: whoami.test.eks-sandbox.stonal.io
    http:
      paths:
      - pathType: ImplementationSpecific
        backend:
          service:
            name: whoami
            port: 
              number: 80
  tls:
  - hosts:
    - whoami.test.eks-sandbox.stonal.io

When applying this, I get this result on the controller logs:

{"level":"info","ts":"2023-04-26T14:25:49Z","logger":"controllers.ingress","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0180f8e358fa23048"],"backend SG":"sg-0180f8e358fa23048"}
{"level":"info","ts":"2023-04-26T14:25:49Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"whoami/whoami\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-whoami-whoami-dd2c5104f9\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}],\"certificates\":[{\"certificateARN\":\"arn:aws:acm:eu-west-3:983974232060:certificate/8d5074d5-9e01-4722-8503-f9834e7103c4\"}],\"sslPolicy\":\"ELBSecurityPolicy-2016-08\"}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/whoami/whoami-whoami:80/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"host-header\",\"hostHeaderConfig\":{\"values\":[\"whoami.test.eks-sandbox.stonal.io\"]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-whoami-whoami-ecdc81edf9\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-027843bbbc284fd12\"},{\"subnetID\":\"subnet-03cd4881634347001\"},{\"subnetID\":\"subnet-0c847d97265e1e23a\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0180f8e358fa23048\"]}}},\"AWS::ElasticLoadBalanci
ngV2::TargetGroup\":{\"whoami/whoami-whoami:80\":{\"spec\":{\"name\":\"k8s-whoami-whoami-cc6578739a\",\"targetType\":\"ip\",\"port\":80,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"whoami/whoami-whoami:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-whoami-whoami-cc6578739a\",\"namespace\":\"whoami\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/whoami/whoami-whoami:80/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"whoami\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-0180f8e358fa23048\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":80}]}]},\"ipAddressType\":\"ipv4\"}}}}}}}"}
{"level":"info","ts":"2023-04-26T14:25:50Z","logger":"controllers.ingress","msg":"creating securityGroup","resourceID":"ManagedLBSecurityGroup"}
{"level":"info","ts":"2023-04-26T14:25:50Z","logger":"controllers.ingress","msg":"created securityGroup","resourceID":"ManagedLBSecurityGroup","securityGroupID":"sg-0c210b529fe5622fe"}
{"level":"info","ts":"2023-04-26T14:25:50Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0c210b529fe5622fe","permission":[{"FromPort":443,"IpProtocol":"tcp","IpRanges":[{"CidrIp":"0.0.0.0/0","Description":""}],"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":443,"UserIdGroupPairs":null}]}
{"level":"info","ts":"2023-04-26T14:25:51Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0c210b529fe5622fe"}
{"level":"info","ts":"2023-04-26T14:25:51Z","logger":"controllers.ingress","msg":"creating targetGroup","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80"}
{"level":"info","ts":"2023-04-26T14:25:51Z","logger":"controllers.ingress","msg":"created targetGroup","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10"}
{"level":"info","ts":"2023-04-26T14:25:51Z","logger":"controllers.ingress","msg":"creating loadBalancer","stackID":"whoami/whoami","resourceID":"LoadBalancer"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"created loadBalancer","stackID":"whoami/whoami","resourceID":"LoadBalancer","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:loadbalancer/app/k8s-whoami-whoami-ecdc81edf9/498a06d5ad70e14f"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"creating listener","stackID":"whoami/whoami","resourceID":"443"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"created listener","stackID":"whoami/whoami","resourceID":"443","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:listener/app/k8s-whoami-whoami-ecdc81edf9/498a06d5ad70e14f/90a0d1f0fc33f9d3"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"creating listener rule","stackID":"whoami/whoami","resourceID":"443:1"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"created listener rule","stackID":"whoami/whoami","resourceID":"443:1","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:listener-rule/app/k8s-whoami-whoami-ecdc81edf9/498a06d5ad70e14f/90a0d1f0fc33f9d3/d5c05a477aea1fdb"}
{"level":"info","ts":"2023-04-26T14:25:52Z","logger":"controllers.ingress","msg":"creating targetGroupBinding","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80"}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"created targetGroupBinding","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80","targetGroupBinding":{"namespace":"whoami","name":"k8s-whoami-whoami-cc6578739a"}}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"successfully deployed model","ingressGroup":"whoami/whoami"}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"whoami/whoami\",\"resources\":{}}"}
{"level":"info","ts":"2023-04-26T14:25:53Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c","permission":[{"FromPort":80,"IpProtocol":"tcp","IpRanges":null,"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":80,"UserIdGroupPairs":[{"Description":"elbv2.k8s.aws/targetGroupBinding=shared","GroupId":"sg-0180f8e358fa23048","GroupName":null,"PeeringStatus":null,"UserId":null,"VpcId":null,"VpcPeeringConnectionId":null}]}]}
{"level":"info","ts":"2023-04-26T14:25:53Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c"}
{"level":"info","ts":"2023-04-26T14:25:53Z","msg":"registering targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10","targets":[{"AvailabilityZone":null,"Id":"10.0.38.81","Port":80}]}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"deleting loadBalancer","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:loadbalancer/app/k8s-whoami-whoami-ecdc81edf9/498a06d5ad70e14f"}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"deleted loadBalancer","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:loadbalancer/app/k8s-whoami-whoami-ecdc81edf9/498a06d5ad70e14f"}
{"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"deleting targetGroupBinding","targetGroupBinding":{"namespace":"whoami","name":"k8s-whoami-whoami-cc6578739a"}}
{"level":"info","ts":"2023-04-26T14:25:54Z","msg":"registered targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10"}
{"level":"info","ts":"2023-04-26T14:25:54Z","msg":"deRegistering targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10","targets":[{"AvailabilityZone":"eu-west-3c","Id":"10.0.38.81","Port":80}]}
{"level":"info","ts":"2023-04-26T14:25:54Z","msg":"deRegistered targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10"}
{"level":"info","ts":"2023-04-26T14:25:54Z","msg":"revoking securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c","permission":[{"FromPort":80,"IpProtocol":"tcp","IpRanges":null,"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":80,"UserIdGroupPairs":[{"Description":"elbv2.k8s.aws/targetGroupBinding=shared","GroupId":"sg-0180f8e358fa23048","GroupName":null,"PeeringStatus":null,"UserId":"983974232060","VpcId":null,"VpcPeeringConnectionId":null}]}]}
{"level":"info","ts":"2023-04-26T14:25:54Z","msg":"revoked securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c"}
{"level":"info","ts":"2023-04-26T14:25:54Z","logger":"controllers.ingress","msg":"deleted targetGroupBinding","targetGroupBinding":{"namespace":"whoami","name":"k8s-whoami-whoami-cc6578739a"}}
{"level":"info","ts":"2023-04-26T14:25:54Z","logger":"controllers.ingress","msg":"deleting targetGroup","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10"}
{"level":"info","ts":"2023-04-26T14:25:58Z","logger":"controllers.ingress","msg":"deleted targetGroup","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/94f617ed78cabb10"}
{"level":"info","ts":"2023-04-26T14:25:58Z","logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-0c210b529fe5622fe"}
{"level":"info","ts":"2023-04-26T14:25:59Z","logger":"controllers.ingress","msg":"deleted securityGroup","securityGroupID":"sg-0c210b529fe5622fe"}
{"level":"info","ts":"2023-04-26T14:25:59Z","logger":"controllers.ingress","msg":"successfully deployed model","ingressGroup":"whoami/whoami"}

To summarize, the AWS resources (Load Balancer, Target Group, Security Group) are immediately deleted right after being created. When I reapply the exact same configuration after that, it creates it normally.

{"level":"info","ts":"2023-04-26T14:30:10Z","logger":"controllers.ingress","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-0180f8e358fa23048"],"backend SG":"sg-0180f8e358fa23048"}
{"level":"info","ts":"2023-04-26T14:30:10Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"whoami/whoami\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-whoami-whoami-dd2c5104f9\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}],\"certificates\":[{\"certificateARN\":\"arn:aws:acm:eu-west-3:983974232060:certificate/8d5074d5-9e01-4722-8503-f9834e7103c4\"}],\"sslPolicy\":\"ELBSecurityPolicy-2016-08\"}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/whoami/whoami-whoami:80/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"host-header\",\"hostHeaderConfig\":{\"values\":[\"whoami.test.eks-sandbox.stonal.io\"]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-whoami-whoami-ecdc81edf9\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-027843bbbc284fd12\"},{\"subnetID\":\"subnet-03cd4881634347001\"},{\"subnetID\":\"subnet-0c847d97265e1e23a\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0180f8e358fa23048\"]}}},\"AWS::ElasticLoadBalanci
ngV2::TargetGroup\":{\"whoami/whoami-whoami:80\":{\"spec\":{\"name\":\"k8s-whoami-whoami-cc6578739a\",\"targetType\":\"ip\",\"port\":80,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"whoami/whoami-whoami:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-whoami-whoami-cc6578739a\",\"namespace\":\"whoami\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/whoami/whoami-whoami:80/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"whoami\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-0180f8e358fa23048\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":80}]}]},\"ipAddressType\":\"ipv4\"}}}}}}}"}
{"level":"info","ts":"2023-04-26T14:30:10Z","logger":"controllers.ingress","msg":"creating securityGroup","resourceID":"ManagedLBSecurityGroup"}
{"level":"info","ts":"2023-04-26T14:30:11Z","logger":"controllers.ingress","msg":"created securityGroup","resourceID":"ManagedLBSecurityGroup","securityGroupID":"sg-0c836f69ef961aee8"}
{"level":"info","ts":"2023-04-26T14:30:11Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0c836f69ef961aee8","permission":[{"FromPort":443,"IpProtocol":"tcp","IpRanges":[{"CidrIp":"0.0.0.0/0","Description":""}],"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":443,"UserIdGroupPairs":null}]}
{"level":"info","ts":"2023-04-26T14:30:11Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0c836f69ef961aee8"}
{"level":"info","ts":"2023-04-26T14:30:12Z","logger":"controllers.ingress","msg":"creating targetGroup","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80"}
{"level":"info","ts":"2023-04-26T14:30:12Z","logger":"controllers.ingress","msg":"created targetGroup","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/51e268e569c1aaf4"}
{"level":"info","ts":"2023-04-26T14:30:12Z","logger":"controllers.ingress","msg":"creating loadBalancer","stackID":"whoami/whoami","resourceID":"LoadBalancer"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"created loadBalancer","stackID":"whoami/whoami","resourceID":"LoadBalancer","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:loadbalancer/app/k8s-whoami-whoami-ecdc81edf9/4943b6fb275214b6"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"creating listener","stackID":"whoami/whoami","resourceID":"443"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"created listener","stackID":"whoami/whoami","resourceID":"443","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:listener/app/k8s-whoami-whoami-ecdc81edf9/4943b6fb275214b6/49e9996dbf72a92d"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"creating listener rule","stackID":"whoami/whoami","resourceID":"443:1"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"created listener rule","stackID":"whoami/whoami","resourceID":"443:1","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:listener-rule/app/k8s-whoami-whoami-ecdc81edf9/4943b6fb275214b6/49e9996dbf72a92d/4c9eaf342e098fad"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"creating targetGroupBinding","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80"}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"created targetGroupBinding","stackID":"whoami/whoami","resourceID":"whoami/whoami-whoami:80","targetGroupBinding":{"namespace":"whoami","name":"k8s-whoami-whoami-cc6578739a"}}
{"level":"info","ts":"2023-04-26T14:30:13Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c","permission":[{"FromPort":80,"IpProtocol":"tcp","IpRanges":null,"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":80,"UserIdGroupPairs":[{"Description":"elbv2.k8s.aws/targetGroupBinding=shared","GroupId":"sg-0180f8e358fa23048","GroupName":null,"PeeringStatus":null,"UserId":null,"VpcId":null,"VpcPeeringConnectionId":null}]}]}
{"level":"info","ts":"2023-04-26T14:30:13Z","logger":"controllers.ingress","msg":"successfully deployed model","ingressGroup":"whoami/whoami"}
{"level":"info","ts":"2023-04-26T14:30:13Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0e5a9a65b855b9c6c"}
{"level":"info","ts":"2023-04-26T14:30:13Z","msg":"registering targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/51e268e569c1aaf4","targets":[{"AvailabilityZone":null,"Id":"10.0.38.81","Port":80}]}
{"level":"info","ts":"2023-04-26T14:30:14Z","msg":"registered targets","arn":"arn:aws:elasticloadbalancing:eu-west-3:983974232060:targetgroup/k8s-whoami-whoami-cc6578739a/51e268e569c1aaf4"}

Expected outcome The ALB and the rest of the other AWS resources should not be deleted right after being created when adding a new Ingress.

Environment

M00nF1sh commented 1 year ago

@vduplessis-stonal do you have any controllers that deleted the Ingresses immediately? from the logs, {"level":"info","ts":"2023-04-26T14:25:53Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"whoami/whoami\",\"resources\":{}}"}, it seems the Ingress were deleted.

Would you help check the kube-apiserver audit log to confirm that?

vduplessis-stonal commented 1 year ago

Hello @M00nF1sh, Thank you for your response. The Ingress is not deleted at any time during the process, in fact it even have this after the initial creation:

status:
  loadBalancer:
    ingress:
    - hostname: k8s-whoami-whoami-ecdc81edf9-286150540.eu-west-3.elb.amazonaws.com

The hostname here is the address of an ALB that does not exist in the AWS console, which indicates for me that there was indeed an ALB at some point that was immediately deleted. The only event it has is this one (the age corresponds to the moment I created the Ingress):

Events:
  Type    Reason                  Age   From     Message
  ----    ------                  ----  ----     -------
  Normal  SuccessfullyReconciled  26m   ingress  Successfully reconciled
vduplessis-stonal commented 1 year ago

Hello,

We have found something troubling while investigating the kube-apiserver audit logs. It seems the Load Balancer Controller modify the ingress right after the creation. We found this log:

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "RequestResponse",
    "auditID": "96014ec0-79f5-4cbc-b34f-37bc5339eacf",
    "stage": "ResponseComplete",
    "requestURI": "/apis/networking.k8s.io/v1/namespaces/whoami/ingresses/whoami",
    "verb": "patch",
    "user": {
        "username": "system:serviceaccount:kube-system:aws-load-balancer-controller",
        "uid": "e2a36511-c62b-4681-8a25-deff13acccc2",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:kube-system",
            "system:authenticated"
        ],
        "extra": {
            "authentication.kubernetes.io/pod-name": [
                "aws-load-balancer-controller-85649d7dd5-s8w5p"
            ],
            "authentication.kubernetes.io/pod-uid": [
                "fcbf3337-56b5-4c13-8551-859810f4c4a8"
            ]
        }
    },
[...]
    "responseObject": {
        "kind": "Ingress",
        "apiVersion": "networking.k8s.io/v1",
        "metadata": {
            "name": "whoami",
            "namespace": "whoami",
            "uid": "f905611d-4220-422b-b006-8f7a05507427",
            "resourceVersion": "33765621",
            "generation": 2,
            "creationTimestamp": "2023-05-03T08:50:44Z",
            "annotations": {
                "alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:eu-west-3:983974232060:certificate/8d5074d5-9e01-4722-8503-f9834e7103c4",
                "alb.ingress.kubernetes.io/listen-ports": "[{\"HTTPS\":443}]",
                "alb.ingress.kubernetes.io/scheme": "internet-facing",
                "alb.ingress.kubernetes.io/target-type": "ip",
                "external-dns.alpha.kubernetes.io/hostname": "*.test.eks-sandbox.stonal.io",
                "field.cattle.io/publicEndpoints": "[{\"addresses\":[\"\"],\"port\":443,\"protocol\":\"HTTPS\",\"serviceName\":\"whoami:whoami\",\"ingressName\":\"whoami:whoami\",\"hostname\":\"whoami.test.eks-sandbox.stonal.io\",\"path\":\"/\",\"allNodes\":false}]",
                "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"networking.k8s.io/v1\",\"kind\":\"Ingress\",\"metadata\":{\"annotations\":{\"alb.ingress.kubernetes.io/certificate-arn\":\"arn:aws:acm:eu-west-3:983974232060:certificate/8d5074d5-9e01-4722-8503-f9834e7103c4\",\"alb.ingress.kubernetes.io/listen-ports\":\"[{\\\"HTTPS\\\":443}]\",\"alb.ingress.kubernetes.io/scheme\":\"internet-facing\",\"alb.ingress.kubernetes.io/target-type\":\"ip\",\"external-dns.alpha.kubernetes.io/hostname\":\"*.test.eks-sandbox.stonal.io\"},\"name\":\"whoami\",\"namespace\":\"whoami\"},\"spec\":{\"ingressClassName\":\"alb\",\"rules\":[{\"host\":\"whoami.test.eks-sandbox.stonal.io\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"whoami\",\"port\":{\"number\":80}}},\"path\":\"/\",\"pathType\":\"Prefix\"}]}}],\"tls\":[{\"hosts\":[\"whoami.test.eks-sandbox.stonal.io\"]}]}}\n"
            },
[...]
        "spec": {
            "tls": [
                {
                    "hosts": [
                        "whoami.test.eks-sandbox.stonal.io"
                    ]
                }
            ],
            "rules": [
                {
                    "host": "whoami.test.eks-sandbox.stonal.io",
                    "http": {
                        "paths": [
                            {
                                "path": "/",
                                "pathType": "ImplementationSpecific",
                                "backend": {
                                    "service": {
                                        "name": "whoami",
                                        "port": {
                                            "number": 80
                                        }
                                    }
                                }
                            }
                        ]
                    }
                }
            ]
        },
        "status": {
            "loadBalancer": {
                "ingress": [
                    {
                        "hostname": "k8s-whoami-whoami-ecdc81edf9-1489757877.eu-west-3.elb.amazonaws.com"
                    }
                ]
            }
        }
    },

As it shows here, it seems the patch operation removed the ingressClassName: alb field from the specs, and it also changed the pathType. Is this normal behaviour from the controller ?

oliviassss commented 1 year ago

@vduplessis-stonal, I don't think the controller should remove the ingressClassName or change the pathType. do you have other controllers installed that delete/modify the resources created by the AWS LBC? or do you have multiple AWS LB controllers?

oliviassss commented 1 year ago

@vduplessis-stonal, I'm going to close the issue as for now, please feel free to reach out or reopen if you have any questions, thanks.