We created a K8s cluster deployed with Azure Cloud-Controller-Manager (v1.29.3) in the control-plane. When a K8s LoadBalancer service is deployed at the cluster, the CCM created a new NSG rule (k8s-azure-lb_allow_IPv4_xxxx and cleaned up all the existing NSG rules at the cluster security-group (NSG configured as securityGroupName at the cloud-config) for CCM.
Noticed that in the process of adding a new NSG rule for the LB, CCM updated the NSG for existing rules by merging CIDR prefixes but ignored handling rules setup between ASGs. This seems to be a bug from CCM trying to consolidate the existing NSG rules as part of this feature 4713
What you expected to happen:
CCM should not affect existing traffic configured at the NSG for the cluster subnet.
How to reproduce it (as minimally and precisely as possible):
Create a NSG with security-group rules restricting traffic between two ASGs (use rule priority > 500).
Set securityGroupName at cloud-config used by the azure-cloud-config-manager deployment to use the above NSG.
Create a simple load-balancer service for the k8s cluster. This will add a new rule for the k8s service, but delete the existing rules.
Anything else we need to know?:
This behavior is not observed in v1.28.x CCM versions, but persists after 1.29+ versions. Seems to be an inadvertent bug from this PR where reconcileSecurityGroup handles only the ip prefixes but missed the ASG based rules.
Environment:
Kubernetes version (use kubectl version): v1.29.4
Cloud provider or hardware configuration: Azure cloud provider
OS (e.g: cat /etc/os-release): Ubuntu 22.04.04 LTS
What happened:
We created a K8s cluster deployed with Azure Cloud-Controller-Manager (v1.29.3) in the control-plane. When a K8s LoadBalancer service is deployed at the cluster, the CCM created a new NSG rule (
k8s-azure-lb_allow_IPv4_xxxx
and cleaned up all the existing NSG rules at the cluster security-group (NSG configured assecurityGroupName
at the cloud-config) for CCM.Noticed that in the process of adding a new NSG rule for the LB, CCM updated the NSG for existing rules by merging CIDR prefixes but ignored handling rules setup between ASGs. This seems to be a bug from CCM trying to consolidate the existing NSG rules as part of this feature 4713
What you expected to happen:
CCM should not affect existing traffic configured at the NSG for the cluster subnet.
How to reproduce it (as minimally and precisely as possible):
securityGroupName
at cloud-config used by the azure-cloud-config-manager deployment to use the above NSG.Anything else we need to know?:
This behavior is not observed in v1.28.x CCM versions, but persists after 1.29+ versions. Seems to be an inadvertent bug from this PR where
reconcileSecurityGroup
handles only the ip prefixes but missed the ASG based rules.Environment:
kubectl version
):v1.29.4
Azure cloud provider
cat /etc/os-release
):Ubuntu 22.04.04 LTS
uname -a
):6.5.0-1021-azure #22~22.04.1-Ubuntu SMP Tue Apr 30 16:08:18 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
cc: @zarvd @feiskyer