Adding source-ip protection to my ALB endpoint backed by EKS hosted service doesn't work as expected

[michalschott]

Describe the bug

Adding source-ip protection to my ALB endpoint backed by EKS hosted service doesn't work as expected

apiVersion: v1
kind: Service
metadata:
  name: test
spec:
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: test
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: ""
    alb.ingress.kubernetes.io/group.name: internal
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/target-type: ip
    # alb.ingress.kubernetes.io/actions.test: >
    #   {"type":"forward","targetGroupARN": "arn:aws:elasticloadbalancing:[REDACTED]"}
    alb.ingress.kubernetes.io/conditions.test: >
      [{"field":"source-ip","sourceIpConfig":{"values":["192.168.0.0/16", "172.16.0.0/16"]}}]
  name: test
spec:
  ingressClassName: alb
  rules:
  - host: test.dev
    http:
      paths:
      - backend:
          service:
            name: test
            port:
              # name: http
              name: use-annotation
        path: /
        pathType: Prefix

I've noticed, if name: use-annotation targetGroup is not created automatically. Thus Then field looks like:

Then
Return fixed response
Response code: 503
Response body: Backend action does not exist
Response content type: text/plain

Once alb.ingress.kubernetes.io/actions.test annotations is uncommented Then is set correctly.

Obviously, once name is changed to http - source-ip protection is not added.

Steps to reproduce

Described above.

Expected outcome TargetGroup should be created and forward rule should be created.

Environment

• AWS Load Balancer controller version: v2.5.1
• Kubernetes version: v1.24
• Using EKS (yes/no), if so version? yes, v1.24

Additional Context:

[oliviassss]

@michalschott if the alb.ingress.kubernetes.io/actions.test is uncommented but there's a backend service port named use-annotation in your ingress spec, it is an expected behavior that the target group is not created, since in your service spec there is no port named use-annotation. In order to have the source-ip protection added, you need the annotation alb.ingress.kubernetes.io/actions.test, and the service port name must be use-annotation. you can check more info in our live doc: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/annotations/#actions

[michalschott]

@oliviassss Indeed, but then I need to create target group outside of ALBController. What's the point (or how else can I do that) if my service runs on EKS?

[M00nF1sh]

@michalschott why would you comment out the "actions.test"?

There are a couple of options:

1. below YAML shall works with an externally create targetGroup.

   alb.ingress.kubernetes.io/actions.test: >
    {"type":"forward","targetGroupARN": "arn:aws:elasticloadbalancing:[REDACTED]"}
   alb.ingress.kubernetes.io/conditions.test: >
   [{"field":"source-ip","sourceIpConfig":{"values":["192.168.0.0/16", "172.16.0.0/16"]}}]
   ......
   - backend:
         service:
           name: test
           port:
             name: use-annotation

2. below YAML shall work when you want a TargetGroup for Service test port http to be auto-created. The caveat is to not use the magic "use-annotation" as port name, the "conditions.xxx" annotation works on real service names

   alb.ingress.kubernetes.io/conditions.test: >
   [{"field":"source-ip","sourceIpConfig":{"values":["192.168.0.0/16", "172.16.0.0/16"]}}]
   ......
   - backend:
         service:
           name: test
           port:
             name: http

[michalschott]

@M00nF1sh thanks for suggestion, I ended up by attaching WAF to the LB instead.

[oliviassss]

@michalschott, I'm closing this issue as for now, please feel free to reach out or reopen if you have any questions. Thanks