Deny firewall for external services

[TortillaZHawaii]

An adapted copy of similar changes done to ingress-gce:

• two new GCE flags enable-l4-deny-firewall and enable-l4-deny-firewall-rollback-cleanup,
• adds deny firewall functionality with correct order for provisioning/cleanup,
• exports metrics for netlb including firewall deny state,
• vendors in cmpopts for easier testing.

[k8s-ci-robot]

This issue is currently awaiting triage.

If the repository mantainers determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[TortillaZHawaii]

/hold

/assign @mmamczur

[TortillaZHawaii]

/uncc elmiko cici37

[mmamczur]

this name suggests we do something bad while I assume it's to avoid a NOT_FOUND error log

[08volt]

You are expanding every interval in integer sets, could we sort/merge them instead?

[TortillaZHawaii]

Do you mean like comparing string slices directly? I'm not sure about this, the GCE may return "10-15", and we can ask for "10", "11", "12, "13", "14", "15". They're the same firewall but differently written.

Do you know if we can have such guarantees?

[08volt]

Generated example:

type portInterval struct {
	Start uint16
	End   uint16
}

func mergeIntervals(intervals []portInterval) []portInterval {
	if len(intervals) < 2 {
		return intervals
	}

	// Sort by Start, then End.
	slices.SortFunc(intervals, func(a, b portInterval) int {
		if n := cmp.Compare(a.Start, b.Start); n != 0 {
			return n
		}
		return cmp.Compare(a.End, b.End)
	})

	w := 0 
	for r := 1; r < len(intervals); r++ {
		// If current interval overlaps or is adjacent to the next one.
		if intervals[r].Start <= intervals[w].End+1 {
			if intervals[r].End > intervals[w].End {
				intervals[w].End = intervals[r].End
			}
		} else {
			w++
			intervals[w] = intervals[r]
		}
	}
	return intervals[:w+1]
}

[TortillaZHawaii]

It sounds to me like yours implementation would be quicker, but given that the most time is spent on the API calls I don't think the ROI is worth it.

[TortillaZHawaii]

I don't want to rewrite this for this PR, I might revisit it later.

[TortillaZHawaii]

this test is super flaky https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/cloud-provider-gcp/958/cloud-provider-gcp-tests/2017177332799770624

gkenetworkparamset_controller_test.go:1461: TestPopulateDesiredDefaultParamSet diff (-want +got): 
        &v1.GKENetworkParamSet{
         TypeMeta:   {},
         ObjectMeta: {Name: "default", Labels: {"addonmanager.kubernetes.io/mode": "EnsureExists"}, Annotations: {"components.gke.io/component-name": "cloud-controller-manager", "components.gke.io/layer": "addon"}},
         Spec: v1.GKENetworkParamSetSpec{
      - 		VPC:        "default-network",
      + 		VPC:        "random-vpc",
          VPCSubnet:  "default-subnetwork",
          DeviceMode: "",
          ... // 2 identical fields
         },
         Status: {},
        }

/retest

[TortillaZHawaii]

This wasn't introduced by this PR, it's caused by something already merged on master. Here's another PR that had the same test failing #955. 🙄

/test cloud-provider-gcp-tests

[08volt]

/lgtm

[TortillaZHawaii]

/unhold

as said before, the commits were squashed

[mmamczur]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mmamczur, TortillaZHawaii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mmamczur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment