🌱 AWSManagedMachinePool: Make public access to SSH explicit

[michaelbeaumont]

What this PR does / why we need it:
Restricts access to SSH for AWSManagedMachinePools to specific security groups by default. Until now the default matches the AWS API defaults where if SSH access is enabled with some SSH key then access is allowed from any IP. Now the user must set public: true.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1990

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• adds unit tests
• adds or updates e2e tests

Release note:

action required: New `AWSManagedMachinePool` resources with non-empty `remoteAccess` now require `remoteAccess.public: true` in order to allow public access to SSH on port 22

[richardcase]

@michaelbeaumont - i think we a release note here as we are changing behavior from where it would be public if there was an SSH key to even if there is an SSH key they need to set publicAccess: true

[richardcase]

Small nit, in the PR description its publicAccess but here its public. Guessing the preferred naming is public?

[michaelbeaumont]

Yes, I switched to public to get rid of the remoteAccess.publicAccess duplication.

[richardcase]

/test ?

[k8s-ci-robot]

@richardcase: The following commands are available to trigger jobs:

• /test pull-cluster-api-provider-aws-test
• /test pull-cluster-api-provider-aws-build
• /test pull-cluster-api-provider-aws-verify
• /test pull-cluster-api-provider-aws-e2e-conformance
• /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
• /test pull-cluster-api-provider-aws-e2e
• /test pull-cluster-api-provider-aws-e2e-eks

Use /test all to run the following jobs:

• pull-cluster-api-provider-aws-test
• pull-cluster-api-provider-aws-build
• pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[richardcase]

/test pull-cluster-api-provider-aws-e2e

[michaelbeaumont]

@michaelbeaumont - i think we a release note here as we are changing behavior from where it would be public if there was an SSH key to even if there is an SSH key they need to set publicAccess: true

True, I've now added an action required release note although I'm not 100% sure that fits since it only affects new resources?

[richardcase]

As soon as the e2e tests pass I will approve

[richardcase]

/test pull-cluster-api-provider-aws-e2e

[richardcase]

Ah, ran the wrong tests:

/test pull-cluster-api-provider-aws-e2e-eks

[richardcase]

the eks e2e tests passed, so:

/lgtm

[k8s-ci-robot]

@michaelbeaumont: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-cluster-api-provider-aws-e2e	c54dd7a	link	/test pull-cluster-api-provider-aws-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[richardcase]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment