TargetGroupBindings can now manipulate target groups from different aws accounts #3691

marcosdiez · 2024-05-13T03:37:11Z

Issue #3634

Description

Now, every time a TargetGroupBinding has the alb.ingress.kubernetes.io/IamRoleArnToAssume (and optionally alb.ingress.kubernetes.io/AssumeRoleExternalId) annotations, we assume it before interacting to it (actually, the assume role operation is cached).

In real life, I changed:

targetgroupbinding_validator
targetgroupbinding_mutator
target manager (which has RegisterTargets / DeregisterTargets / ListTargets

This way we can easily manipulate target groups from target group bindings for every single AWS account in the world, as long as there is a role we can assume. In order to prevent the confused deputy problem, external id is supported.

The way this was implemented was actually way simpler than initially imagined:

the service.elbv2Client object now supports a new method called AssumeRole which returns service.elbv2Client on the specified role. The catch is that if AssumeRole is called with a blank role, the object returns itself and life goes on.

In other words, every time we call some method from elbv2Client from something related to target groups, we also call AssumeRole and that's basically it.

Caching the assumed role was also trivial, a simple map that is stored on cloud.go

I decided to have cloud.go manage the caching becuase in the future it could assume role for other objects if needed and all the assume role logic would be in the same place.

The only unfortunate change that needed to be made is that aws.Cloud became services.Cloud else golang would complain about circular dependency :(

This is what the logs look like:


{"level":"info","ts":"2024-05-13T03:24:31Z","msg":"awsCloud","method":"GetAssumedRoleELBV2","AssumeRoleArn":"arn:aws:iam::7550XXXXXXXX:role/alb-controller-policy-to-impersonate","externalId":"XXXXXX"}
{"level":"info","ts":"2024-05-13T03:24:33Z","msg":"registering endpoints using the targetGroup's vpcID vpc-00XXXXXXXXXXXXXXX which is different from the cluster's vpcID vpc-04XXXXXXXXXXXXXXX"}
{"level":"info","ts":"2024-05-13T03:24:33Z","msg":"registering targets","arn":"arn:aws:elasticloadbalancing:us-east-1:7550XXXXXXXX:targetgroup/helloworld-8080-a8054/5741da332459b560","targets":[{"AvailabilityZone":"all","Id":"10.244.0.22","Port":8080}]}
{"level":"info","ts":"2024-05-13T03:24:34Z","msg":"registered targets","arn":"arn:aws:elasticloadbalancing:us-east-1:7550XXXXXXXX:targetgroup/helloworld-8080-a8054/5741da332459b560"}

Documentation and tests were properly updated in this PR

Checklist

Added tests that cover your change (if possible)
Added/modified documentation as required (such as the README.md, or the docs directory)
Manually tested
Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

Backfilled missing tests for code in same general area 🎉
Refactored something and made the world a better place 🌟

A working amd64 container with this code is available here: marcosdiez/aws-load-balancer-controller:v2.7.2-m2

update: on 2024-09-26 I rebased the code. The new container image is marcosdiez/aws-load-balancer-controller:v2.8.3-m2

update: on 2024-10-28 I rebased the code again :(. The new container image is marcosdiez/aws-load-balancer-controller:v2.9.0-m1

k8s-ci-robot · 2024-05-13T03:37:21Z

Hi @marcosdiez. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

marcosdiez · 2024-05-13T19:03:16Z

@shraddhabang I believe my code is ready. Feel free to review at will! Thank you.

Also, if you don't want the CRDs to be changed, here:
126c9c8

they are untouched.

shraddhabang · 2024-05-13T21:52:44Z

Thank you @marcosdiez for this PR. This looks excellent.
I will take a look and test it out. And would also ask our team to review it. Please note that we will have to go through our formal security process to review this. We will add this to our next minor release v2.9.0.
Please feel free to reach out to us.

shraddhabang · 2024-05-13T21:52:56Z

/ok-to-test

yu-croco · 2024-07-23T05:04:30Z

Hi @shraddhabang ,

We will add this to our next minor release v2.9.0

Could you please share us when the v2.9.0 would release? We are looking forward to this feature.

yu-croco · 2024-09-06T04:56:53Z

Hi, @johngmyers @M00nF1sh @shraddhabang

We will add this to our next minor release v2.9.0.

Does anyone know the release schedule for v2.9.0 ?

marcosdiez · 2024-09-26T12:28:14Z

I just rebased and merged my code. There is also a container available here: marcosdiez/aws-load-balancer-controller:v2.8.3-m1

abr4xas · 2025-01-08T20:19:36Z

Waited for this for a very long time! We need this ASAP.

ellanos · 2025-01-08T21:06:57Z

I'm waiting for this feature long time ago. Please approve and merge asap.

cincinatino · 2025-01-08T21:27:42Z

I've been eagerly awaiting this feature for a long time. Please approve and merge it as soon as possible. This feature is crucial for the efficient delivery of my infrastructure, as it will significantly enhance our operational capabilities.

arawako · 2025-01-09T03:30:48Z

I need this feature! please approve it.

guerrerocarlos · 2025-01-09T13:52:30Z

Looking forward for this to be merged! 🚀

Skatox · 2025-01-09T14:37:10Z

This is precisely what I was looking for. Is there an estimate for when this will be merged? I don't want to fork the repo just for this.

zac-nixon · 2025-01-09T21:12:13Z

Hello, thank you for this contribution. I apologize that we've made you wait so long for a proper review. I took a look at the code and it looks really good to me aside from small code duplication in the register targets path; but we can refactor that later. The biggest concern I currently have is that we are storing the external id in plain text. I am engaging with AWS AppSec to understand the best practices around storage of the external id.

listellm · 2025-01-09T21:26:39Z

Hello, thank you for this contribution. I apologize that we've made you wait so long for a proper review. I took a look at the code and it looks really good to me aside from small code duplication in the register targets path; but we can refactor that later. The biggest concern I currently have is that we are storing the external id in plain text. I am engaging with AWS AppSec to understand the best practices around storage of the external id.

Hi,

AWS IAM documentation state that:

It is not intended to be a 'secret'. Example Corp must provide the ExternalId value to each customer. What is crucial is that it must be generated by Example Corp and not their customers to ensure each external ID is unique.

This external ID is visible to anyone who has IAM read access and access to the AWS account. It is not stored as a secret

vanetowers · 2025-01-09T22:35:25Z

Hi! Great job done here. Looking forward to use this feature when approved.

pkg/aws/cloud.go

pkg/targetgroupbinding/resource_manager.go

pkg/targetgroupbinding/utils.go

zac-nixon

Thanks for contribution here, I have left some comments on stuff that I'd like changed. Since this PR has been sitting for a while I'm inclined to approve as-is and I can work on the changes in a separate PR. Let me know your thoughts or if you disagree with any of my suggestions.

Lastly, after engaging with my AWS AppSec team they would like to take a crack at testing an image prior to releasing for public consumption.

Thank you so much for your contribution! It is really well done.

pkg/aws/cloud.go

zac-nixon · 2025-01-15T17:28:32Z

AWS AppSec did not find any problems with this approach. I'm going to engage a teammate to give this another review and then we'll merge it. I'll work on the comments in a follow up PR.

zac-nixon · 2025-01-15T18:27:18Z

/lgtm

k8s-ci-robot · 2025-01-15T18:29:22Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: marcosdiez, wweiwei-li, zac-nixon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [wweiwei-li,zac-nixon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 13, 2024

k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 13, 2024

k8s-ci-robot requested review from johngmyers and M00nF1sh May 13, 2024 03:37

marcosdiez changed the title ~~[WIP] TargetGroupBindings can now manipulate target groups from different aws accounts~~ TargetGroupBindings can now manipulate target groups from different aws accounts May 13, 2024

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2024

marcosdiez mentioned this pull request May 13, 2024

Support for ALBs in multiple AWS accounts #3634

Closed

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 13, 2024

marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 70267e1 to bb3c617 Compare May 14, 2024 20:38

oliviassss added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 17, 2024

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 21, 2024

marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 7b5b35f to 85bbf7f Compare May 21, 2024 17:03

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 22, 2024

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 24, 2024

marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 85bbf7f to 6025b73 Compare September 26, 2024 12:25

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 26, 2024