Restrict subnets only to subnets from regular availability zones in ELB auto-discovery procedure

[lobziik]

What type of PR is this?

/kind feature

What this PR does / why we need it:
Outpost, wavelength, and local zone don't support NLB or CLB at the moment.
This pr adds check for availability zone type and includes only subnets from availability-zone typed zones for the auto-discovery.

Which issue(s) this PR fixes:

Fixes #442

Special notes for your reviewer:
I'm not sure about PR type, guess that feature is the most suitable one.

Does this PR introduce a user-facing change?:

Added check  for availability zone type within subnets auto-discovery procedure for a load-balancers
Auto-discovery will include only subnets from `availability-zone` typed zones.

IMPORTANT: This change requires an IAM permissions update. IAM policy for control-plane nodes
should be extended with `ec2:DescribeAvailabilityZones` permission.

[k8s-ci-robot]

@lobziik: This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Welcome @lobziik!

It looks like this is your first PR to kubernetes/cloud-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/cloud-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @lobziik. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JoelSpeed]

/ok-to-test

[JoelSpeed]

/lgtm

Will need an AWS approver to review as well, but the code looks clean and makes sense to me

[lobziik]

e2e is failing, i need some time to reproduce and investigate it.
/hold

[lobziik]

Apparently this requires additional iam permissions for describing availability zones. I need to figure out where it does set within this e2es and give an another thought about this api call error handling.

Will appreciate some advices here, for now i'm not entirely sure how to proceed.

[lobziik]

Updated PR, added a check for the response type. Insufficient permissions does not threat as an error anymore, warning will be raised instead: https://github.com/kubernetes/cloud-provider-aws/pull/499/files#diff-97a31d0f193ea0b4e2c538595daf93405351054377458053a5010f6fdb97f4dcR3539 for provide backward compatability and do not break existing clusters after ccm upgrade.

Added missed permission into documentation also.

[lobziik]

/hold cancel
/cc @kishorj

[lobziik]

/cc @kishorj @JoelSpeed

Sry, I misclicked and break review requests.

[JoelSpeed]

Changes look ok, couple of nits about errors but otherwise LGTM, lmk what you think about using the error wrapping, this file already imports the standard library errors package so there's no new dependency on this

[JoelSpeed]

/lgtm

[olemarkus]

/lgtm

[olemarkus]

/pull-kops-e2e-cni-amazonvpc

[kishorj]

Tbh, if we ignore the error we will keep the existing behavior unless the IAM permissions get updated. I favor throwing the error here instead.

We will have to update the IAM permissions. As for EKS, we can start process to update the managed policies. For kops, we can request the permission to be included.

[kishorj]

Once the policies get updated, we can backport the changes to older releases as well.

[lobziik]

I updated pr, now permissions error will be propagated back.

IAM permissions in kops were extended in kubernetes/kops#14650.

@kishorj can you please take a look? :)

[lobziik]

I attempted to update permission list for kops. @olemarkus can you please help with that, when you will have time? :) kubernetes/kops#14650 - think it will be a prerequisite for having pull-cloud-provider-aws-e2e passed. Then I can update this PR.

[olemarkus]

/retest

[JoelSpeed]

Thanks for the fixups @lobziik

/lgtm

[kishorj]

Thanks
/lgtm

Need updates to the AmazonEKSClusterPolicy for EKS clusters. Hold merge until we initiate the process to update the managed policy.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [olemarkus]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment