Skip to content

Commit

Permalink
feat(publick8s, privatek8s) allow NAT gateways to AKS API (#596)
Browse files Browse the repository at this point in the history
Ref. jenkins-infra/helpdesk#3908

This PR adds the NAT gatewat public IP in the allow list for both
`publick8s` and `privatek8s` to ensure all requests originated from
inside the clusters (autoscaler, nodes healthchecks, API commands for
`kubectl logs/exec`, etc.) are allowed to reach the control plane.

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
  • Loading branch information
dduportal authored Jan 23, 2024
1 parent 31eeb32 commit 63e22b7
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .shared-tools
4 changes: 3 additions & 1 deletion privatek8s.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@ resource "azurerm_kubernetes_cluster" "privatek8s" {
"%s/32",
flatten(
concat(
[for key, value in module.jenkins_infra_shared_data.admin_public_ips : value]
[for key, value in module.jenkins_infra_shared_data.admin_public_ips : value],
# privatek8s outbound IPs (traffic routed through gateways or outbound LBs)
module.jenkins_infra_shared_data.outbound_ips["privatek8s.jenkins.io"],
)
)
),
Expand Down
4 changes: 3 additions & 1 deletion publick8s.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,10 @@ resource "azurerm_kubernetes_cluster" "publick8s" {
flatten(
concat(
[for key, value in module.jenkins_infra_shared_data.admin_public_ips : value],
# privatek8s outbound IP (traffic routed trhough gateways)
# privatek8s outbound IPs (traffic routed through gateways or outbound LBs)
module.jenkins_infra_shared_data.outbound_ips["privatek8s.jenkins.io"],
# publick8s outbound IPs (traffic routed through gateways or outbound LBs)
module.jenkins_infra_shared_data.outbound_ips["publick8s.jenkins.io"],
# trusted.ci subnet (UC agents need to execute mirrorbits scans)
module.jenkins_infra_shared_data.outbound_ips["trusted.ci.jenkins.io"],
module.jenkins_infra_shared_data.outbound_ips["trusted.sponsorship.ci.jenkins.io"],
Expand Down

0 comments on commit 63e22b7

Please sign in to comment.