flightcontroller: ensure more security group rules

[databus23]

This PR refactors the EnsureKubernikusRuleInSecurityGroup to support reconciling more then one rule.
It now also creates the rule lazily only if no other broader rules are already covering the wanted rules.

In addition to the podCIDR rule we had, it now also added egress rules for ntp and the cluster apiserver.

This PR create the following rules lazily if there isn't already a rule allowing the traffic:

egress:

• all, to same security group (pod-to-pod)
• udp port 53 (dns)
• udp port 123 (ntp)
• port 443 keppel.$region.cloud.sap, objectstore-3.$region.cloud.sap, keppel.global.global.cloud.sap, objectstore-3.eu-de-1.cloud.sap (for pulling kube-proxy,kubelet, wormhole, flannel images)

ingress:

• all, from same security group (pod-to-pod)
• port 30000 - 32767, from private network (load balancer to members)

TODO:

• Modify our e2e tests to use a fresh security group without any rules to make sure the e2e tests passes with our enforced rules only.
• Also we should probaply expand our network tests to include host <-> pod tests and also test the loadbalancer datapath. --> Switch to kube-detective for thoroughly testing all combinitions
• Add metric for failing reconcilitions
• remove rule for objectstore.eu-de-1.cloud.sap

[databus23]

Suggested change

	Description: fmt.Sprintf(`Kubernikus: SecurityGroup containing LoadBalancer Self-IPs for cluster "%s"`, kluster.Spec.Name),
	Description: fmt.Sprintf(`Kubernikus: SecurityGroup containing LoadBalancer VIP and Self-IPs for cluster "%s"`, kluster.Spec.Name),

[databus23]

Is this defensive programming intentional? Because it seems like we ensure the lbGroup is not nil on top (e.g. we error out if it is). So I would be fine in simplifying this and moving it in the "static" wantedRules above

[jknipper]

This can be nil, eg. when there is not enough quota in the project for creating an additional security group. This ensures the other rules even if that's the case.

[databus23]

I see, good point but it looks to me like at the moment if creating the security group fails there is an early return (with en error) and no other security groups are enforced anyways.

[jknipper]

Where is it returning? I think I'm ignoring the error while getting the security group.

[databus23]

Here: https://github.com/sapcc/kubernikus/pull/601/files#diff-b5e03987e634a7e5e1033109b07cba3c54a48db540f4694445c66794899fdabfR255

[jknipper]

Isn't this only exiting EnsureLoadbalancerSecurityGroup()? To me it looks like EnsureKubernikusRulesInSecurityGroup() runs anyway.

[databus23]

ah yes, sorry I misread the code. Nvm

[databus23]

Suggested change

	return false, err
	return false, fmt.Errorf("Failed to list load balancers: %w", err)

[databus23]

Suggested change

	return false, err
	return false, fmt.Errorf("Failed to extract load balancers: %w", err)

[databus23]

Suggested change

	return false, err
	return false, fmt.Errorf("Failed to list ports: %w", err)

[databus23]

Suggested change

	return false, err
	return false, fmt.Errorf("Failed to extract ports: %w", err)

[databus23]

Suggested change

	return false, err
	return false, fmt.Errorf("Failed to add security group %s to port %s: %w", err, lbGroup.ID, lb.VipPortID, err)

[databus23]

I suggest to replace the inner loop with

if !portsOfSecurityGroup.Has(lb.VipPortID) {
  //update port 
}

And to this before the whole loop construct:

portsOfSecurityGroup := sets.NewString()
for _, p := range allPorts {
  portsOfSecurityGroup.Insert(p.ID)
}

using https://pkg.go.dev/k8s.io/apimachinery/pkg/util/sets

[databus23]

not sure the || lbGroup == nil is required. Looking at createLoadbalancerSecurityGroup it returns an error when the create call fails. I don't see how err and lbGroup can be nil at the same time.

[databus23]

As we are getting two different security groups in this controller maybe its worthwhile to have a single getSecurityGroupByName(name string, client *gophercloud.ServiceClient) function instead if this special purpose function?

[jknipper]

Yeah, makes sense.

[databus23]

LGTM now. Would be awesome now also change the e2e test to actually test that all this works:

• use an empty security group for e2e cluster, cleanup during teardown
• add loadbalancer happy path url check to test loadbalancer <-> nodes connectivity is working.

[databus23]

Cool. One small nitpick but looks good otherwise

[databus23]

I would create a dedicated security group that is named after the current soak test cluster.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sandzwerg]

I haven't checked the code but only your comment but IIRC for UDP you want a port 123 Ingress rule for NTP and port 53 Ingress for DNS as well (because it's stateless so the firewall can't track the state). Also for DNS you might want a TCP port 53 Egress rule as well as DNS now can use both.

[databus23]

I haven't checked the code but only your comment but IIRC for UDP you want a port 123 Ingress rule for NTP and port 53 Ingress for DNS as well (because it's stateless so the firewall can't track the state).

Are you sure that's the case? Because allowing udp egress 53 and 123 definitlty fixes dns issues and time sync issues. So it seems to me nsx-t is doing some "connection tracking" for udp packets as well (like iptables does, e.g. state ESTABLISHED,RELATED)

Also for DNS you might want a TCP port 53 Egress rule as well as DNS now can use both.

That's a valid point

[sandzwerg]

At least for NTP a customer had this issue today (not in a kubernikus environment) so I assume that the ingress rules are needed as well, but I haven't tested it myself. Here is the discussion: https://convergedcloud.slack.com/archives/C374AQJ3W/p1656505078940829