Validate # of security groups and in/out rules before clustering up (#2127)

RobertLucian · web-flow · commit ab651d808e08 · 2021-04-29T02:47:06.000+03:00
diff --git a/cli/cmd/lib_cluster_config.go b/cli/cmd/lib_cluster_config.go
@@ -135,7 +135,7 @@ func getInstallClusterConfig(awsClient *aws.Client, clusterConfigFile string, di
 		return nil, err
 	}
 
-	err = clusterConfig.Validate(awsClient, false)
+	err = clusterConfig.Validate(awsClient)
 	if err != nil {
 		err = errors.Append(err, fmt.Sprintf("\n\ncluster configuration schema can be found at https://docs.cortex.dev/v/%s/", consts.CortexVersionMinor))
 		return nil, errors.Wrap(err, clusterConfigFile)
diff --git a/pkg/lib/aws/ec2.go b/pkg/lib/aws/ec2.go
@@ -334,6 +334,28 @@ func (c *Client) DescribeVpcs() ([]ec2.Vpc, error) {
 	return vpcs, nil
 }
 
+func (c *Client) DescribeSecurityGroups() ([]ec2.SecurityGroup, error) {
+	var sgs []ec2.SecurityGroup
+	err := c.EC2().DescribeSecurityGroupsPages(&ec2.DescribeSecurityGroupsInput{}, func(output *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool {
+		if output == nil {
+			return false
+		}
+		for _, sg := range output.SecurityGroups {
+			if sg == nil {
+				continue
+			}
+			sgs = append(sgs, *sg)
+		}
+
+		return true
+	})
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return sgs, nil
+}
+
 func (c *Client) ListVolumes(tags ...ec2.Tag) ([]ec2.Volume, error) {
 	var volumes []ec2.Volume
 	err := c.EC2().DescribeVolumesPages(&ec2.DescribeVolumesInput{}, func(output *ec2.DescribeVolumesOutput, lastPage bool) bool {
diff --git a/pkg/lib/aws/errors.go b/pkg/lib/aws/errors.go
@@ -46,6 +46,8 @@ const (
 	ErrEIPLimitExceeded             = "aws.eip_limit_exceeded"
 	ErrInternetGatewayLimitExceeded = "aws.internet_gateway_limit_exceeded"
 	ErrVPCLimitExceeded             = "aws.vpc_limit_exceeded"
+	ErrSecurityGroupRulesExceeded   = "aws.security_group_rules_exceeded"
+	ErrSecurityGroupLimitExceeded   = "aws.security_group_limit_exceeded"
 )
 
 func IsAWSError(err error) bool {
@@ -232,3 +234,19 @@ func ErrorVPCLimitExceeded(currentLimit, additionalQuotaRequired int, region str
 		Message: fmt.Sprintf("VPC limit of %d exceeded in region %s; remove some of the existing VPCs or increase your quota for VPCs by at least %d here: %s (if your request was recently approved, please allow ~30 minutes for AWS to reflect this change)", currentLimit, region, additionalQuotaRequired, url),
 	})
 }
+
+func ErrorSecurityGroupRulesExceeded(currentLimit, additionalQuotaRequired int, region string) error {
+	url := "https://console.aws.amazon.com/servicequotas/home?#!/services/vpc/quotas"
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrSecurityGroupRulesExceeded,
+		Message: fmt.Sprintf("security group rules limit of %d exceeded in region %s; use fewer availability zones, remove some node groups from your cluster config, reduce the number of CIDR white lists (if you have any), or increase your quota for inbound/outbound rules per security group by at least %d here: %s (if your request was recently approved, please allow ~30 minutes for AWS to reflect this change)", currentLimit, region, additionalQuotaRequired, url),
+	})
+}
+
+func ErrorSecurityGroupLimitExceeded(currentLimit, additionalQuotaRequired int, region string) error {
+	url := "https://console.aws.amazon.com/servicequotas/home?#!/services/vpc/quotas"
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrSecurityGroupLimitExceeded,
+		Message: fmt.Sprintf("security group limit of %d exceeded in region %s; remove some node groups from your cluster config or increase your quota for security groups by at least %d here: %s (if your request was recently approved, please allow ~30 minutes for AWS to reflect this change)", currentLimit, region, additionalQuotaRequired, url),
+	})
+}
diff --git a/pkg/lib/aws/servicequotas.go b/pkg/lib/aws/servicequotas.go
@@ -32,10 +32,18 @@ var _standardInstanceCategories = strset.New("a", "c", "d", "h", "i", "m", "r",
 var _knownInstanceCategories = strset.Union(_standardInstanceCategories, strset.New("p", "g", "inf", "x", "f"))
 
 const (
-	_elasticIPsQuotaCode      = "L-0263D0A3"
-	_internetGatewayQuotaCode = "L-A4707A72"
-	_natGatewayQuotaCode      = "L-FE5A380F"
-	_vpcQuotaCode             = "L-F678F1CE"
+	_elasticIPsQuotaCode         = "L-0263D0A3"
+	_internetGatewayQuotaCode    = "L-A4707A72"
+	_natGatewayQuotaCode         = "L-FE5A380F"
+	_vpcQuotaCode                = "L-F678F1CE"
+	_securityGroupsQuotaCode     = "L-E79EC296"
+	_securityGroupRulesQuotaCode = "L-0EA8095F"
+
+	// 11 inbound rules
+	_baseInboundRulesForNodeGroup = 11
+	_inboundRulesPerAZ            = 8
+	// ClusterSharedNodeSecurityGroup, ControlPlaneSecurityGroup, eks-cluster-sg-<cluster-name>, and operator security group
+	_baseNumberOfSecurityGroups = 4
 )
 
 type InstanceTypeRequests struct {
@@ -145,12 +153,21 @@ func (c *Client) VerifyInstanceQuota(instances []InstanceTypeRequests) error {
 	return nil
 }
 
-func (c *Client) VerifyNetworkQuotas(requiredInternetGateways int, natGatewayRequired bool, highlyAvailableNATGateway bool, requiredVPCs int, availabilityZones strset.Set) error {
+func (c *Client) VerifyNetworkQuotas(
+	requiredInternetGateways int,
+	natGatewayRequired bool,
+	highlyAvailableNATGateway bool,
+	requiredVPCs int,
+	availabilityZones strset.Set,
+	numNodeGroups int,
+	longestCIDRWhiteList int) error {
 	quotaCodeToValueMap := map[string]int{
-		_elasticIPsQuotaCode:      0, // elastic IP quota code
-		_internetGatewayQuotaCode: 0, // internet gw quota code
-		_natGatewayQuotaCode:      0, // nat gw quota code
-		_vpcQuotaCode:             0, // vpc quota code
+		_elasticIPsQuotaCode:         0, // elastic IP quota code
+		_internetGatewayQuotaCode:    0, // internet gw quota code
+		_natGatewayQuotaCode:         0, // nat gw quota code
+		_vpcQuotaCode:                0, // vpc quota code
+		_securityGroupsQuotaCode:     0, // security groups quota code
+		_securityGroupRulesQuotaCode: 0, // security group rules quota code
 	}
 
 	err := c.ServiceQuotas().ListServiceQuotasPages(
@@ -285,5 +302,52 @@ func (c *Client) VerifyNetworkQuotas(requiredInternetGateways int, natGatewayReq
 		}
 	}
 
+	// check rules quota for nodegroup SGs
+	requiredRulesForSG := requiredRulesForNodeGroupSecurityGroup(len(availabilityZones), longestCIDRWhiteList)
+	if requiredRulesForSG > quotaCodeToValueMap[_securityGroupRulesQuotaCode] {
+		additionalQuotaRequired := requiredRulesForSG - quotaCodeToValueMap[_securityGroupRulesQuotaCode]
+		return ErrorSecurityGroupRulesExceeded(quotaCodeToValueMap[_securityGroupRulesQuotaCode], additionalQuotaRequired, c.Region)
+	}
+
+	// check rules quota for control plane SG
+	requiredRulesForCPSG := requiredRulesForControlPlaneSecurityGroup(numNodeGroups)
+	if requiredRulesForCPSG > quotaCodeToValueMap[_securityGroupRulesQuotaCode] {
+		additionalQuotaRequired := requiredRulesForCPSG - quotaCodeToValueMap[_securityGroupRulesQuotaCode]
+		return ErrorSecurityGroupRulesExceeded(quotaCodeToValueMap[_securityGroupRulesQuotaCode], additionalQuotaRequired, c.Region)
+	}
+
+	// check security groups quota
+	requiredSecurityGroups := requiredSecurityGroups(numNodeGroups)
+	sgs, err := c.DescribeSecurityGroups()
+	if err != nil {
+		return err
+	}
+	if quotaCodeToValueMap[_securityGroupsQuotaCode]-len(sgs)-requiredSecurityGroups < 0 {
+		additionalQuotaRequired := len(sgs) + requiredSecurityGroups - quotaCodeToValueMap[_securityGroupsQuotaCode]
+		return ErrorSecurityGroupLimitExceeded(quotaCodeToValueMap[_securityGroupsQuotaCode], additionalQuotaRequired, c.Region)
+
+	}
+
 	return nil
 }
+
+func requiredRulesForNodeGroupSecurityGroup(numAZs, whitelistLength int) int {
+	whitelistRuleCount := 0
+	if whitelistLength == 1 {
+		whitelistRuleCount = 1
+	} else if whitelistLength > 1 {
+		whitelistRuleCount = 1 + 5*(whitelistLength-1)
+	}
+	return _baseInboundRulesForNodeGroup + numAZs*_inboundRulesPerAZ + whitelistRuleCount
+}
+
+func requiredRulesForControlPlaneSecurityGroup(numNodeGroups int) int {
+	// +1 for the operator node group
+	// this is the number of outbound rules (there are half as many inbound rules, so that is not the limiting factor)
+	return 2 * (numNodeGroups + 1)
+}
+
+func requiredSecurityGroups(numNodeGroups int) int {
+	// each node group requires a security group
+	return _baseNumberOfSecurityGroups + numNodeGroups
+}
diff --git a/pkg/types/clusterconfig/cluster_config.go b/pkg/types/clusterconfig/cluster_config.go
@@ -781,7 +781,7 @@ func (cc *CoreConfig) SQSNamePrefix() string {
 }
 
 // this validates the user-provided cluster config
-func (cc *Config) Validate(awsClient *aws.Client, skipQuotaVerification bool) error {
+func (cc *Config) Validate(awsClient *aws.Client) error {
 	fmt.Print("verifying your configuration ...\n\n")
 
 	numNodeGroups := len(cc.NodeGroups)
@@ -817,12 +817,10 @@ func (cc *Config) Validate(awsClient *aws.Client, skipQuotaVerification bool) er
 		})
 	}
 
-	if !skipQuotaVerification {
-		if err := awsClient.VerifyInstanceQuota(instances); err != nil {
-			// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
-			if !aws.IsAWSError(err) {
-				return errors.Wrap(err, NodeGroupsKey)
-			}
+	if err := awsClient.VerifyInstanceQuota(instances); err != nil {
+		// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
+		if !aws.IsAWSError(err) {
+			return errors.Wrap(err, NodeGroupsKey)
 		}
 	}
 
@@ -909,16 +907,15 @@ func (cc *Config) Validate(awsClient *aws.Client, skipQuotaVerification bool) er
 		}
 	}
 
-	if !skipQuotaVerification {
-		var requiredVPCs int
-		if len(cc.Subnets) == 0 {
-			requiredVPCs = 1
-		}
-		if err := awsClient.VerifyNetworkQuotas(1, cc.NATGateway != NoneNATGateway, cc.NATGateway == HighlyAvailableNATGateway, requiredVPCs, strset.FromSlice(cc.AvailabilityZones)); err != nil {
-			// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
-			if !aws.IsAWSError(err) {
-				return err
-			}
+	var requiredVPCs int
+	if len(cc.Subnets) == 0 {
+		requiredVPCs = 1
+	}
+	longestCIDRWhiteList := libmath.MaxInt(len(cc.APILoadBalancerCIDRWhiteList), len(cc.OperatorLoadBalancerCIDRWhiteList))
+	if err := awsClient.VerifyNetworkQuotas(1, cc.NATGateway != NoneNATGateway, cc.NATGateway == HighlyAvailableNATGateway, requiredVPCs, strset.FromSlice(cc.AvailabilityZones), len(cc.NodeGroups), longestCIDRWhiteList); err != nil {
+		// Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API
+		if !aws.IsAWSError(err) {
+			return err
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ func getInstallClusterConfig(awsClient *aws.Client, clusterConfigFile string, di`
`135`	`135`	`return nil, err`
`136`	`136`	`}`
`137`	`137`
`138`		`- err = clusterConfig.Validate(awsClient, false)`
	`138`	`+ err = clusterConfig.Validate(awsClient)`
`139`	`139`	`if err != nil {`
`140`	`140`	`err = errors.Append(err, fmt.Sprintf("\n\ncluster configuration schema can be found at https://docs.cortex.dev/v/%s/", consts.CortexVersionMinor))`
`141`	`141`	`return nil, errors.Wrap(err, clusterConfigFile)`
Original file line number	Diff line number	Diff line change
`@@ -781,7 +781,7 @@ func (cc *CoreConfig) SQSNamePrefix() string {`
`781`	`781`	`}`
`782`	`782`
`783`	`783`	`// this validates the user-provided cluster config`
`784`		`-func (cc Config) Validate(awsClient aws.Client, skipQuotaVerification bool) error {`
	`784`	`+func (cc Config) Validate(awsClient aws.Client) error {`
`785`	`785`	`fmt.Print("verifying your configuration ...\n\n")`
`786`	`786`
`787`	`787`	`numNodeGroups := len(cc.NodeGroups)`
`@@ -817,12 +817,10 @@ func (cc Config) Validate(awsClient aws.Client, skipQuotaVerification bool) er`
`817`	`817`	`})`
`818`	`818`	`}`
`819`	`819`
`820`		`- if !skipQuotaVerification {`
`821`		`- if err := awsClient.VerifyInstanceQuota(instances); err != nil {`
`822`		`- // Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API`
`823`		`- if !aws.IsAWSError(err) {`
`824`		`- return errors.Wrap(err, NodeGroupsKey)`
`825`		`- }`
	`820`	`+ if err := awsClient.VerifyInstanceQuota(instances); err != nil {`
	`821`	`+ // Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API`
	`822`	`+ if !aws.IsAWSError(err) {`
	`823`	`+ return errors.Wrap(err, NodeGroupsKey)`
`826`	`824`	`}`
`827`	`825`	`}`
`828`	`826`
`@@ -909,16 +907,15 @@ func (cc Config) Validate(awsClient aws.Client, skipQuotaVerification bool) er`
`909`	`907`	`}`
`910`	`908`	`}`
`911`	`909`
`912`		`- if !skipQuotaVerification {`
`913`		`- var requiredVPCs int`
`914`		`- if len(cc.Subnets) == 0 {`
`915`		`- requiredVPCs = 1`
`916`		`- }`
`917`		`- if err := awsClient.VerifyNetworkQuotas(1, cc.NATGateway != NoneNATGateway, cc.NATGateway == HighlyAvailableNATGateway, requiredVPCs, strset.FromSlice(cc.AvailabilityZones)); err != nil {`
`918`		`- // Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API`
`919`		`- if !aws.IsAWSError(err) {`
`920`		`- return err`
`921`		`- }`
	`910`	`+ var requiredVPCs int`
	`911`	`+ if len(cc.Subnets) == 0 {`
	`912`	`+ requiredVPCs = 1`
	`913`	`+ }`
	`914`	`+ longestCIDRWhiteList := libmath.MaxInt(len(cc.APILoadBalancerCIDRWhiteList), len(cc.OperatorLoadBalancerCIDRWhiteList))`
	`915`	`+ if err := awsClient.VerifyNetworkQuotas(1, cc.NATGateway != NoneNATGateway, cc.NATGateway == HighlyAvailableNATGateway, requiredVPCs, strset.FromSlice(cc.AvailabilityZones), len(cc.NodeGroups), longestCIDRWhiteList); err != nil {`
	`916`	`+ // Skip AWS errors, since some regions (e.g. eu-north-1) do not support this API`
	`917`	`+ if !aws.IsAWSError(err) {`
	`918`	`+ return err`
`922`	`919`	`}`
`923`	`920`	`}`
`924`	`921`