Merge pull request #3035 from TortillaZHawaii/arm-cleanup-code

k8s-ci-robot · web-flow · commit 674a2c2207fd · 2026-01-12T22:06:11.000+05:30
Add flag to enable cleanup path for Deny Firewalls
diff --git a/cmd/glbc/main.go b/cmd/glbc/main.go
@@ -338,6 +338,7 @@ func main() {
 		EnableL4ILBMixedProtocol:                  flags.F.EnableL4ILBMixedProtocol,
 		EnableL4NetLBMixedProtocol:                flags.F.EnableL4NetLBMixedProtocol,
 		EnableL4DenyFirewalls:                     flags.F.EnableL4DenyFirewall,
+		EnableL4DenyFirewallsRollbackCleanup:      flags.F.EnableL4DenyFirewallRollbackCleanup,
 		EnableL4ILBZonalAffinity:                  flags.F.EnableL4ILBZonalAffinity,
 		EnableL4NetLBForwardingRulesOptimizations: flags.F.EnableL4NetLBForwardingRulesOptimizations,
 		ReadOnlyMode:                              flags.F.ReadOnlyMode,
diff --git a/pkg/context/context.go b/pkg/context/context.go
@@ -139,6 +139,7 @@ type ControllerContextConfig struct {
 	EnableL4NetLBMixedProtocol                bool
 	EnableL4NetLBForwardingRulesOptimizations bool
 	EnableL4DenyFirewalls                     bool
+	EnableL4DenyFirewallsRollbackCleanup      bool
 }
 
 // NewControllerContext returns a new shared set of informers.
diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go
@@ -142,6 +142,7 @@ var F = struct {
 	EnableL4ILBMixedProtocol                  bool
 	EnableL4NetLBMixedProtocol                bool
 	EnableL4DenyFirewall                      bool
+	EnableL4DenyFirewallRollbackCleanup       bool
 	EnableL4NetLBForwardingRulesOptimizations bool
 	EnableIPV6OnlyNEG                         bool
 	MultiProjectOwnerLabelKey                 string
@@ -355,7 +356,8 @@ L7 load balancing. CSV values accepted. Example: -node-port-ranges=80,8080,400-5
 	flag.BoolVar(&F.EnableMultiProjectMode, "enable-multi-project-mode", false, "Enable running in multi-project mode.")
 	flag.BoolVar(&F.EnableL4ILBMixedProtocol, "enable-l4ilb-mixed-protocol", false, "Enable support for mixed protocol L4 internal load balancers.")
 	flag.BoolVar(&F.EnableL4NetLBMixedProtocol, "enable-l4netlb-mixed-protocol", false, "Enable support for mixed protocol L4 external load balancers.")
-	flag.BoolVar(&F.EnableL4DenyFirewall, "enable-l4-deny-firewall", false, "Enable creation and updates of Deny VPC Firewall Rules for L4 external load balancers. Requires --enable-pinhole to be true.")
+	flag.BoolVar(&F.EnableL4DenyFirewall, "enable-l4-deny-firewall", false, "Enable creation and updates of Deny VPC Firewall Rules for L4 external load balancers. Requires --enable-pinhole and --enable-l4-deny-firewall-rollback-cleanup to be true.")
+	flag.BoolVar(&F.EnableL4DenyFirewallRollbackCleanup, "enable-l4-deny-firewall-rollback-cleanup", false, "Enable cleanup codepath of the deny firewalls for rollback. The reason for it not being enabled by default is the additional GCE API calls that are made for checking if the deny firewalls exist/deletion which will eat up the quota unnecessarily.")
 	flag.StringVar(&F.ProviderConfigNameLabelKey, "provider-config-name-label-key", "cloud.gke.io/provider-config-name", "The label key for provider-config name, which is used to identify the provider-config of objects in multi-project mode.")
 	flag.BoolVar(&F.EnableL4NetLBForwardingRulesOptimizations, "enable-l4netlb-forwarding-rules-optimizations", false, "Enable optimized processing of forwarding rules for L4 NetLB.")
 	flag.BoolVar(&F.EnableIPV6OnlyNEG, "enable-ipv6-only-neg", false, "Enable support for IPV6 Only NEG's.")
@@ -382,8 +384,8 @@ func Validate() {
 		klog.Fatalf("Invalid --override-health-check-src-cidrs flag: %v", err)
 	}
 
-	if F.EnableL4DenyFirewall && !F.EnablePinhole {
-		klog.Fatalf("The flag --enable-l4-deny-firewall requires --enable-pinhole to be true.")
+	if F.EnableL4DenyFirewall && (!F.EnablePinhole || !F.EnableL4DenyFirewallRollbackCleanup) {
+		klog.Fatalf("The flag --enable-l4-deny-firewall requires --enable-pinhole and --enable-l4-deny-firewall-rollback-cleanup to be true.")
 	}
 }
 
diff --git a/pkg/l4lb/l4netlbcontroller.go b/pkg/l4lb/l4netlbcontroller.go
@@ -614,18 +614,19 @@ func (lc *L4NetLBController) syncInternal(service *v1.Service, svcLogger klog.Lo
 	usesNegBackends := lc.shouldUseNEGBackends(service, svcLogger)
 
 	l4NetLBParams := &l4resources.L4NetLBParams{
-		Service:                          service,
-		Cloud:                            lc.ctx.Cloud,
-		Namer:                            lc.namer,
-		Recorder:                         lc.ctx.Recorder(service.Namespace),
-		DualStackEnabled:                 lc.enableDualStack,
-		StrongSessionAffinityEnabled:     lc.enableStrongSessionAffinity,
-		NetworkResolver:                  lc.networkResolver,
-		EnableWeightedLB:                 lc.ctx.EnableWeightedL4NetLB,
-		EnableMixedProtocol:              lc.ctx.EnableL4NetLBMixedProtocol,
-		DisableNodesFirewallProvisioning: lc.ctx.DisableL4LBFirewall,
-		UseNEGs:                          usesNegBackends,
-		UseDenyFirewalls:                 lc.ctx.EnableL4DenyFirewalls,
+		Service:                            service,
+		Cloud:                              lc.ctx.Cloud,
+		Namer:                              lc.namer,
+		Recorder:                           lc.ctx.Recorder(service.Namespace),
+		DualStackEnabled:                   lc.enableDualStack,
+		StrongSessionAffinityEnabled:       lc.enableStrongSessionAffinity,
+		NetworkResolver:                    lc.networkResolver,
+		EnableWeightedLB:                   lc.ctx.EnableWeightedL4NetLB,
+		EnableMixedProtocol:                lc.ctx.EnableL4NetLBMixedProtocol,
+		DisableNodesFirewallProvisioning:   lc.ctx.DisableL4LBFirewall,
+		UseNEGs:                            usesNegBackends,
+		UseDenyFirewalls:                   lc.ctx.EnableL4DenyFirewalls,
+		EnableDenyFirewallsRollbackCleanup: lc.ctx.EnableL4DenyFirewallsRollbackCleanup,
 	}
 	if lc.ctx.ConfigMapInformer != nil {
 		l4NetLBParams.ConfigMapLister = lc.ctx.ConfigMapInformer.GetIndexer()
@@ -870,17 +871,18 @@ func (lc *L4NetLBController) garbageCollectRBSNetLB(key string, svc *v1.Service,
 	}()
 
 	l4NetLBParams := &l4resources.L4NetLBParams{
-		Service:                          svc,
-		Cloud:                            lc.ctx.Cloud,
-		Namer:                            lc.namer,
-		Recorder:                         lc.ctx.Recorder(svc.Namespace),
-		DualStackEnabled:                 lc.enableDualStack,
-		StrongSessionAffinityEnabled:     lc.enableStrongSessionAffinity,
-		NetworkResolver:                  lc.networkResolver,
-		EnableWeightedLB:                 lc.ctx.EnableWeightedL4NetLB,
-		EnableMixedProtocol:              lc.ctx.EnableL4NetLBMixedProtocol,
-		DisableNodesFirewallProvisioning: lc.ctx.DisableL4LBFirewall,
-		UseDenyFirewalls:                 lc.ctx.EnableL4DenyFirewalls,
+		Service:                            svc,
+		Cloud:                              lc.ctx.Cloud,
+		Namer:                              lc.namer,
+		Recorder:                           lc.ctx.Recorder(svc.Namespace),
+		DualStackEnabled:                   lc.enableDualStack,
+		StrongSessionAffinityEnabled:       lc.enableStrongSessionAffinity,
+		NetworkResolver:                    lc.networkResolver,
+		EnableWeightedLB:                   lc.ctx.EnableWeightedL4NetLB,
+		EnableMixedProtocol:                lc.ctx.EnableL4NetLBMixedProtocol,
+		DisableNodesFirewallProvisioning:   lc.ctx.DisableL4LBFirewall,
+		UseDenyFirewalls:                   lc.ctx.EnableL4DenyFirewalls,
+		EnableDenyFirewallsRollbackCleanup: lc.ctx.EnableL4DenyFirewallsRollbackCleanup,
 	}
 	if lc.ctx.ConfigMapInformer != nil {
 		l4NetLBParams.ConfigMapLister = lc.ctx.ConfigMapInformer.GetIndexer()
diff --git a/pkg/l4resources/denytest/deny_test.go b/pkg/l4resources/denytest/deny_test.go
@@ -305,9 +305,10 @@ func TestDenyRespectsDisableNodeFirewallProvisioning(t *testing.T) {
 	}
 	log := klog.TODO()
 	l4netlb := l4resources.NewL4NetLB(&l4resources.L4NetLBParams{
-		Service:                          svc,
-		UseDenyFirewalls:                 true,
-		DisableNodesFirewallProvisioning: true,
+		Service:                            svc,
+		UseDenyFirewalls:                   true,
+		EnableDenyFirewallsRollbackCleanup: true,
+		DisableNodesFirewallProvisioning:   true,
 		// other parameters
 		Cloud:               cloud,
 		Namer:               namer.NewL4Namer("ks123", namer.NewNamer("", "", log)),
@@ -619,10 +620,76 @@ func TestExportsCorrectDenyMetrics(t *testing.T) {
 	}
 }
 
+// TestSkipRollbackCleanupIfDisabled is a complimentary test to TestDenyRollback which verifies
+// that the cleanup logic on Ensure is skipped when the ArmDenyFirewallsRollbackCleanup is not enabled.
+func TestSkipRollbackCleanupIfDisabled(t *testing.T) {
+	// Arrange
+	ctx := t.Context()
+	svc := helperService([]v1.IPFamily{v1.IPv4Protocol, v1.IPv6Protocol})
+
+	gce, err := helperCloud(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mockGCE := gce.Compute().(*cloud.MockGCE)
+	getCalled := make(map[string]bool)
+	// Function that is tested will check for deny firewalls if it is enabled before actually deleting them
+	mockGCE.MockFirewalls.GetHook = func(ctx context.Context, key *meta.Key, m *cloud.MockFirewalls, options ...cloud.Option) (bool, *compute.Firewall, error) {
+		getCalled[key.Name] = true
+		return false, nil, nil // continue with normal hook
+	}
+
+	log := klog.TODO()
+	ensurer := helperL4NetLBWithoutCleanup(gce, log, svc)
+	res := ensurer.EnsureFrontend([]string{nodeName}, svc, time.Now())
+	if res.Error != nil {
+		t.Fatal(res.Error)
+	}
+
+	// Assert
+	// No cleanup logic should be called - it is not armed
+	for _, name := range []string{denyIPv4Name, denyIPv6Name} {
+		if got := getCalled[name]; got {
+			t.Errorf("Cleanup or other deny firewall logic for %v was executed even though the ArmDenyFirewallsRollbackCleanup and UseDenyFirewalls flags were set to false", name)
+		}
+		// cleanup for later test
+		getCalled[name] = false
+	}
+
+	// Verify that the cleanup logic is actually performed when it needs to be
+	ensurer = helperL4NetLB(gce, log, svc, denyFirewallDisabled) // cleanup is armed
+	res = ensurer.EnsureFrontend([]string{nodeName}, svc, time.Now())
+	if res.Error != nil {
+		t.Fatal(res.Error)
+	}
+
+	for _, name := range []string{denyIPv4Name, denyIPv6Name} {
+		if got := getCalled[name]; !got {
+			t.Errorf("Cleanup for deny firewall %v logic has not been executed", name)
+		}
+	}
+}
+
 func helperL4NetLB(cloud *gce.Cloud, log klog.Logger, svc *v1.Service, denyFirewall bool) *l4resources.L4NetLB {
 	return l4resources.NewL4NetLB(&l4resources.L4NetLBParams{
-		Service:          svc,
-		UseDenyFirewalls: denyFirewall,
+		Service:                            svc,
+		UseDenyFirewalls:                   denyFirewall,
+		EnableDenyFirewallsRollbackCleanup: true,
+		// other parameters
+		Cloud:               cloud,
+		Namer:               namer.NewL4Namer("ks123", namer.NewNamer("", "", log)),
+		Recorder:            record.NewFakeRecorder(100),
+		NetworkResolver:     network.NewFakeResolver(network.DefaultNetwork(cloud)),
+		DualStackEnabled:    true,
+		EnableMixedProtocol: true,
+	}, log)
+}
+
+func helperL4NetLBWithoutCleanup(cloud *gce.Cloud, log klog.Logger, svc *v1.Service) *l4resources.L4NetLB {
+	return l4resources.NewL4NetLB(&l4resources.L4NetLBParams{
+		Service:                            svc,
+		UseDenyFirewalls:                   false,
+		EnableDenyFirewallsRollbackCleanup: false,
 		// other parameters
 		Cloud:               cloud,
 		Namer:               namer.NewL4Namer("ks123", namer.NewNamer("", "", log)),
diff --git a/pkg/l4resources/l4netlb.go b/pkg/l4resources/l4netlb.go
@@ -70,10 +70,11 @@ type L4NetLB struct {
 	NamespacedName types.NamespacedName
 	healthChecks   healthchecksl4.L4HealthChecks
 	// mixedManager is responsible for managing forwarding rules for mixed protocol lbs
-	mixedManager     *forwardingrules.MixedManagerNetLB
-	forwardingRules  ForwardingRulesProvider
-	enableDualStack  bool
-	useDenyFirewalls bool
+	mixedManager                       *forwardingrules.MixedManagerNetLB
+	forwardingRules                    ForwardingRulesProvider
+	enableDualStack                    bool
+	useDenyFirewalls                   bool
+	enableDenyFirewallsRollbackCleanup bool
 	// represents if `enable strong session affinity` flag was set
 	enableStrongSessionAffinity      bool
 	networkInfo                      network.NetworkInfo
@@ -129,19 +130,20 @@ func (r *L4NetLBSyncResult) SetMetricsForSuccessfulServiceSync() {
 }
 
 type L4NetLBParams struct {
-	Service                          *corev1.Service
-	Cloud                            *gce.Cloud
-	Namer                            namer.L4ResourcesNamer
-	Recorder                         record.EventRecorder
-	DualStackEnabled                 bool
-	StrongSessionAffinityEnabled     bool
-	NetworkResolver                  network.Resolver
-	EnableWeightedLB                 bool
-	EnableMixedProtocol              bool
-	DisableNodesFirewallProvisioning bool
-	UseNEGs                          bool
-	UseDenyFirewalls                 bool
-	ConfigMapLister                  cache.Store
+	Service                            *corev1.Service
+	Cloud                              *gce.Cloud
+	Namer                              namer.L4ResourcesNamer
+	Recorder                           record.EventRecorder
+	DualStackEnabled                   bool
+	StrongSessionAffinityEnabled       bool
+	NetworkResolver                    network.Resolver
+	EnableWeightedLB                   bool
+	EnableMixedProtocol                bool
+	DisableNodesFirewallProvisioning   bool
+	UseNEGs                            bool
+	UseDenyFirewalls                   bool
+	EnableDenyFirewallsRollbackCleanup bool
+	ConfigMapLister                    cache.Store
 }
 
 // NewL4NetLB creates a new Handler for the given L4NetLB service.
@@ -157,26 +159,27 @@ func NewL4NetLB(params *L4NetLBParams, logger klog.Logger) *L4NetLB {
 		Service:  params.Service,
 	}
 	l4netlb := &L4NetLB{
-		cloud:                            params.Cloud,
-		scope:                            meta.Regional,
-		namer:                            params.Namer,
-		recorder:                         params.Recorder,
-		Service:                          params.Service,
-		NamespacedName:                   types.NamespacedName{Name: params.Service.Name, Namespace: params.Service.Namespace},
-		backendPool:                      backends.NewPoolWithConnectionTrackingPolicy(params.Cloud, params.Namer, params.StrongSessionAffinityEnabled),
-		healthChecks:                     healthchecksl4.NewL4HealthChecks(params.Cloud, params.Recorder, logger, params.UseDenyFirewalls),
-		forwardingRules:                  forwardingRulesProvider,
-		mixedManager:                     mixedManager,
-		enableDualStack:                  params.DualStackEnabled,
-		enableStrongSessionAffinity:      params.StrongSessionAffinityEnabled,
-		networkResolver:                  params.NetworkResolver,
-		enableWeightedLB:                 params.EnableWeightedLB,
-		enableMixedProtocol:              params.EnableMixedProtocol,
-		disableNodesFirewallProvisioning: params.DisableNodesFirewallProvisioning,
-		useDenyFirewalls:                 params.UseDenyFirewalls,
-		useNEGs:                          params.UseNEGs,
-		svcLogger:                        logger,
-		configMapLister:                  params.ConfigMapLister,
+		cloud:                              params.Cloud,
+		scope:                              meta.Regional,
+		namer:                              params.Namer,
+		recorder:                           params.Recorder,
+		Service:                            params.Service,
+		NamespacedName:                     types.NamespacedName{Name: params.Service.Name, Namespace: params.Service.Namespace},
+		backendPool:                        backends.NewPoolWithConnectionTrackingPolicy(params.Cloud, params.Namer, params.StrongSessionAffinityEnabled),
+		healthChecks:                       healthchecksl4.NewL4HealthChecks(params.Cloud, params.Recorder, logger, params.UseDenyFirewalls),
+		forwardingRules:                    forwardingRulesProvider,
+		mixedManager:                       mixedManager,
+		enableDualStack:                    params.DualStackEnabled,
+		enableStrongSessionAffinity:        params.StrongSessionAffinityEnabled,
+		networkResolver:                    params.NetworkResolver,
+		enableWeightedLB:                   params.EnableWeightedLB,
+		enableMixedProtocol:                params.EnableMixedProtocol,
+		disableNodesFirewallProvisioning:   params.DisableNodesFirewallProvisioning,
+		useDenyFirewalls:                   params.UseDenyFirewalls,
+		enableDenyFirewallsRollbackCleanup: params.EnableDenyFirewallsRollbackCleanup,
+		useNEGs:                            params.UseNEGs,
+		svcLogger:                          logger,
+		configMapLister:                    params.ConfigMapLister,
 	}
 	return l4netlb
 }
@@ -641,7 +644,7 @@ func denyFirewall(namer func(namespace, name string) string, svc *corev1.Service
 }
 
 func (l4netlb *L4NetLB) softlyCleanUpDenyFirewallsWhenRolledBack() error {
-	if l4netlb.useDenyFirewalls {
+	if l4netlb.useDenyFirewalls || !l4netlb.enableDenyFirewallsRollbackCleanup {
 		return nil // We use deny firewalls, don't need to clean them up
 	}
 	logger := l4netlb.svcLogger.WithName("softlyCleanUpDenyFirewalls")

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,7 @@ type ControllerContextConfig struct {`
`139`	`139`	`EnableL4NetLBMixedProtocol bool`
`140`	`140`	`EnableL4NetLBForwardingRulesOptimizations bool`
`141`	`141`	`EnableL4DenyFirewalls bool`
	`142`	`+ EnableL4DenyFirewallsRollbackCleanup bool`
`142`	`143`	`}`
`143`	`144`
`144`	`145`	`// NewControllerContext returns a new shared set of informers.`