Open pasdam opened 1 year ago
This issue is currently awaiting triage.
If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
I couldn't reproduce the issue, can you share the service specification which you are using for this?
Do you mean this
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: gloo
meta.helm.sh/release-namespace: gloo-system
service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "5"
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: <s3-name>
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: api
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=staging,Name=api,GitHubRepo=gloo
service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /envoy-hc
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: HTTP
service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "6"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2"
service.beta.kubernetes.io/aws-load-balancer-name: api
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <ACM certificate ARN>
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
service.beta.kubernetes.io/aws-load-balancer-type: nlb
creationTimestamp: "2023-03-09T06:51:29Z"
finalizers:
- service.kubernetes.io/load-balancer-cleanup
labels:
app: gloo
app.kubernetes.io/managed-by: Helm
gateway-proxy-id: gateway-proxy-api
gloo: gateway-proxy
name: gateway-proxy-api
namespace: gloo-system
resourceVersion: "217407260"
uid: f41fc3a1-fda2-4668-b90b-dc0866b5f5a6
spec:
allocateLoadBalancerNodePorts: true
clusterIP: <cluster-ip>
clusterIPs:
- <cluster-ip>
externalTrafficPolicy: Local
healthCheckNodePort: 32392
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
loadBalancerSourceRanges:
- <list-of-whitelisted-ips>
ports:
- name: http
nodePort: 32344
port: 80
protocol: TCP
targetPort: 8080
- name: https
nodePort: 31099
port: 443
protocol: TCP
targetPort: 8080
selector:
gateway-proxy: live
gateway-proxy-id: gateway-proxy-api
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- hostname: <LB-host-name>
Thanks for sharing but unfortunately i couldn't reproduce with similar configs? Is the issue consistent for you?
I can't easily test it now, but yeah it was consistent when we were looking into it, we ended up recreating it, which was annoying, and in some cases might even be impossible
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
What happened: We updated the
loadBalancerSourceRanges
property of an existing service, but the new IPs were not propagated to the SG, as a result we can't connect from new IPsWhat you expected to happen: the new IPs should be propagated to the node security group
How to reproduce it (as minimally and precisely as possible):
service.beta.kubernetes.io/aws-load-balancer-type: nlb
annotation and 1 element inloadBalancerSourceRanges
loadBalancerSourceRanges
Anything else we need to know?:
Environment:
kubectl version
):Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.10-eks-48e63af", GitCommit:"9176fb99b52f8d5ff73d67fea27f3a638f679f8a", GitTreeState:"clean", BuildDate:"2023-01-24T19:17:48Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
uname -a
):/kind bug