Skip to content

Commit

Permalink
Merge pull request #4359 from alexander-demicev/cpingress
Browse files Browse the repository at this point in the history 
Additional ingress rules for control plane
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Sep 21, 2023
2 parents 66400f9 + 80dbe3a commit b90c18c
Show file tree
Hide file tree
Showing 17 changed files with 485 additions and 45 deletions.
2 changes: 2 additions & 0 deletions api/v1beta1/awscluster_conversion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
restoreIPAMPool(restored.Spec.NetworkSpec.VPC.IPv6.IPAMPool, dst.Spec.NetworkSpec.VPC.IPv6.IPAMPool)
}

dst.Spec.NetworkSpec.AdditionalControlPlaneIngressRules = restored.Spec.NetworkSpec.AdditionalControlPlaneIngressRules

return nil
}

Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/conversion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,7 @@ func Convert_v1beta2_VPCSpec_To_v1beta1_VPCSpec(in *v1beta2.VPCSpec, out *VPCSpe
func Convert_v1beta2_IPv6_To_v1beta1_IPv6(in *v1beta2.IPv6, out *IPv6, s conversion.Scope) error {
return autoConvert_v1beta2_IPv6_To_v1beta1_IPv6(in, out, s)
}

func Convert_v1beta2_NetworkSpec_To_v1beta1_NetworkSpec(in *v1beta2.NetworkSpec, out *NetworkSpec, s conversion.Scope) error {
return autoConvert_v1beta2_NetworkSpec_To_v1beta1_NetworkSpec(in, out, s)
}
16 changes: 6 additions & 10 deletions api/v1beta1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 8 additions & 3 deletions api/v1beta2/awscluster_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func (r *AWSCluster) ValidateCreate() error {
allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
allErrs = append(allErrs, r.validateNetwork()...)
allErrs = append(allErrs, r.validateAdditionalIngressRules()...)
allErrs = append(allErrs, r.validateControlPlaneLBIngressRules()...)

return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
}
Expand Down Expand Up @@ -237,10 +237,15 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
allErrs = append(allErrs, field.Invalid(field.NewPath("ipamPool"), r.Spec.NetworkSpec.VPC.IPAMPool, "ipamPool must have either id or name"))
}

for _, rule := range r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}
return allErrs
}

func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {
func (r *AWSCluster) validateControlPlaneLBIngressRules() field.ErrorList {
var allErrs field.ErrorList

if r.Spec.ControlPlaneLoadBalancer == nil {
Expand All @@ -249,7 +254,7 @@ func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {

for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalIngressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}

Expand Down
91 changes: 88 additions & 3 deletions api/v1beta2/awscluster_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,19 @@ func TestAWSClusterValidateCreate(t *testing.T) {
},
wantErr: false,
},
{
name: "rejects ipamPool if id or name not set",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
VPC: VPCSpec{
IPAMPool: &IPAMPool{},
},
},
},
},
wantErr: true,
},
{
name: "rejects cidrBlock and ipamPool if set together",
cluster: &AWSCluster{
Expand All @@ -350,18 +363,90 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: true,
},
{
name: "rejects ipamPool if id or name not set",
name: "accepts CP ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
VPC: VPCSpec{
IPAMPool: &IPAMPool{},
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
{
name: "rejects CP ingress rules with cidr block and source security group id",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
},
},
},
},
},
wantErr: true,
},
{
name: "rejects CP ingress rules with cidr block and source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
IPv6CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: true,
},
{
name: "accepts CP ingress rules with cidr block",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts CP ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta2/network_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,10 @@ type NetworkSpec struct {
// This is optional - if not provided new security groups will be created for the cluster
// +optional
SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`

// AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane
// +optional
AdditionalControlPlaneIngressRules []IngressRule `json:"additionalControlPlaneIngressRules,omitempty"`
}

// IPv6 contains ipv6 specific settings for the network.
Expand Down
7 changes: 7 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

144 changes: 144 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,78 @@ spec:
network:
description: NetworkSpec encapsulates all things related to AWS network.
properties:
additionalControlPlaneIngressRules:
description: AdditionalControlPlaneIngressRules is an optional
set of ingress rules to add to the control plane
items:
description: IngressRule defines an AWS ingress rule for security
groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot
be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about
the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from.
Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: The security group role to allow access from.
Cannot be specified with CidrBlocks. The field will be
combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role
of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down Expand Up @@ -1852,6 +1924,78 @@ spec:
network:
description: NetworkSpec encapsulates all things related to AWS network.
properties:
additionalControlPlaneIngressRules:
description: AdditionalControlPlaneIngressRules is an optional
set of ingress rules to add to the control plane
items:
description: IngressRule defines an AWS ingress rule for security
groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot
be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about
the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from.
Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: The security group role to allow access from.
Cannot be specified with CidrBlocks. The field will be
combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role
of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
Loading

0 comments on commit b90c18c

Please sign in to comment.