Skip to content

Support NLBSecurityGroupMode for AWS Cloud Controller Manager#18211

Merged
k8s-ci-robot merged 6 commits into
kubernetes:masterfrom
mfbonfigli:nlb_security_group_mode
Apr 24, 2026
Merged

Support NLBSecurityGroupMode for AWS Cloud Controller Manager#18211
k8s-ci-robot merged 6 commits into
kubernetes:masterfrom
mfbonfigli:nlb_security_group_mode

Conversation

@mfbonfigli

@mfbonfigli mfbonfigli commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

This PR adds support for the NLBSecurityGroupMode cloud configuration setting and the SetSecurityGroups IAM permission for AWS Cloud Controller Manager.

When nlbSecurityGroupMode: Managed is set in the cluster spec, kops writes NLBSecurityGroupMode = Managed to the cloud config file, enabling CCM to create and manage dedicated security groups for each Network Load Balancer instead of provisioning NLBs without security groups.

The SetSecurityGroups IAM permission allows CCM to attach/detach security groups from cluster-owned NLBs, bringing CCM to parity with the AWS Load Balancer Controller which already has this permission and enabling the BYO Security Groups feature for NLBs in AWS CCM.

Please refer to issue #18210 for more details on why this change is needed.

Changes:

  • API fields: Added NLBSecurityGroupMode to AWSSpec and CloudConfiguration with bidirectional conversion
  • Validation: Only accepts "Managed" value (case-sensitive) or omitted/nil.
  • IAM permissions: Added elasticloadbalancing:SetSecurityGroups to CCM role in clusterTaggedAction block.
  • Cloud config generation: Writes NLBSecurityGroupMode = Managed to /etc/kubernetes/cloud.config on master nodes
  • Tests: Added validation tests, cloud config tests, and conversion tests
  • Regenerated artifacts: Regenerated code/crds/test data.

Which issue(s) this PR fixes:
Fixes #18210

Special notes for your reviewer:

Large number of changed files: many auto-generated IAM policy golden test files were updated via hack/update-expected.sh to include the new SetSecurityGroups permission.

Related upstream work:

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 17, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Welcome @mfbonfigli!

It looks like this is your first PR to kubernetes/kops 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kops has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 17, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Hi @mfbonfigli. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hakman

hakman commented Apr 19, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 19, 2026
@hakman

hakman commented Apr 19, 2026

Copy link
Copy Markdown
Member

/retest

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

Hello @hakman, I appreciate the help in running the tests. Would you be able to review the PR (or share an approximate ETA) and let me know what you think?

Thanks!

@hakman hakman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mfbonfigli, seems like a reasonable change.
I added a few comments, please take a look and let me know when ready for a new review.

Comment thread pkg/model/iam/iam_builder.go Outdated

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set the new permission conditionally, as there is a flag at the cluster level for it:

Suggested change
func AddCCMPermissions(p *Policy, cloudRoutes bool, nlbSecurityGroupMode bool) {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, good advice. I implemented this suggestion this in the last update to this PR, only slightly renaming your parameter nlbSecurityGroupMode to nlbSecurityGroupModeManaged given the parameter can take a string value and not boolean (although currently only "Managed" is supported).

In the last iteration I also re-updated the golden files and added an extra test to specifically test the permission is set when NLBSecurityGroupMode is set to Managed in the config.

Comment thread pkg/apis/kops/v1alpha3/cluster.go Outdated
Comment on lines +224 to +226
// NLBSecurityGroupMode determines if the controller manages security groups for Network Load Balancers.
// Valid value: "Managed"
// When set to "Managed", the controller creates and manages a dedicated security group for each NLB.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each API file has a different description, please align.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, good catch. I updated it in last revision by improving the comment and aligning it around the codebase.

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

Thank you @hakman . I should have implemented your comments, feel free to take a look when you have some time.

@hakman

hakman commented Apr 22, 2026

Copy link
Copy Markdown
Member

Thank you @hakman . I should have implemented your comments, feel free to take a look when you have some time.

Thanks, looks good. Please fix the failing test and squash the commits. I will take a look later today.

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

/retest

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

Seems the test is having issues in CI, I will take a look on Friday, please feel free to wait until then to review.

Adds nlbSecurityGroupMode field to cluster spec and elasticloadbalancing:SetSecurityGroups
IAM permission for AWS Cloud Controller Manager to support managed security groups for AWS
Network Load Balancers.
Provisions the required IAM permissions needed by AWS CCM to manage
NLB security groups only when the NLBSecurityGroupMode flag is set to
Managed. Also improves consistency among flag descriptions in the
codebase.
Updates the generated code and test files according to the last changes
to IAM Policies for NLBSecurityGroupMode=Managed
Adds a test and golden file to verify the IAM permissions when
the AWS Cloud Controller Manager configuration has NLBSecurityGroupMode
set to Managed.
@mfbonfigli mfbonfigli force-pushed the nlb_security_group_mode branch from 2c0f8e3 to 22ab7ab Compare April 24, 2026 09:59
@hakman

hakman commented Apr 24, 2026

Copy link
Copy Markdown
Member

/retest

@hakman

hakman commented Apr 24, 2026

Copy link
Copy Markdown
Member

/test pull-kops-e2e-gce-cni-calico

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

/retest

@mfbonfigli

Copy link
Copy Markdown
Contributor Author

@hakman Thanks for the help once again,I rebased on latest master and fixed the failed test, all should be good for you to take a look when you have some time. Thanks!

@hakman hakman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mfbonfigli, LGTM! 🚀

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 24, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 24, 2026
@mfbonfigli

Copy link
Copy Markdown
Contributor Author

/test pull-kops-e2e-azure-cni-calico

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api area/nodeup cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support NLBSecurityGroupMode for AWS Cloud Controller Manager

3 participants