Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional ingress rules for control plane #4359

Merged
merged 1 commit into from
Sep 21, 2023
Merged

Additional ingress rules for control plane #4359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions api/v1beta1/awscluster_conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
restoreIPAMPool(restored.Spec.NetworkSpec.VPC.IPv6.IPAMPool, dst.Spec.NetworkSpec.VPC.IPv6.IPAMPool)
}

dst.Spec.NetworkSpec.AdditionalControlPlaneIngressRules = restored.Spec.NetworkSpec.AdditionalControlPlaneIngressRules

return nil
}

Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,7 @@ func Convert_v1beta2_VPCSpec_To_v1beta1_VPCSpec(in *v1beta2.VPCSpec, out *VPCSpe
func Convert_v1beta2_IPv6_To_v1beta1_IPv6(in *v1beta2.IPv6, out *IPv6, s conversion.Scope) error {
return autoConvert_v1beta2_IPv6_To_v1beta1_IPv6(in, out, s)
}

func Convert_v1beta2_NetworkSpec_To_v1beta1_NetworkSpec(in *v1beta2.NetworkSpec, out *NetworkSpec, s conversion.Scope) error {
return autoConvert_v1beta2_NetworkSpec_To_v1beta1_NetworkSpec(in, out, s)
}
16 changes: 6 additions & 10 deletions api/v1beta1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 8 additions & 3 deletions api/v1beta2/awscluster_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func (r *AWSCluster) ValidateCreate() error {
allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
allErrs = append(allErrs, r.validateNetwork()...)
allErrs = append(allErrs, r.validateAdditionalIngressRules()...)
allErrs = append(allErrs, r.validateControlPlaneLBIngressRules()...)

return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
}
Expand Down Expand Up @@ -237,10 +237,15 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
allErrs = append(allErrs, field.Invalid(field.NewPath("ipamPool"), r.Spec.NetworkSpec.VPC.IPAMPool, "ipamPool must have either id or name"))
}

for _, rule := range r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}
return allErrs
}

func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {
func (r *AWSCluster) validateControlPlaneLBIngressRules() field.ErrorList {
var allErrs field.ErrorList

if r.Spec.ControlPlaneLoadBalancer == nil {
Expand All @@ -249,7 +254,7 @@ func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {

for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalIngressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}

Expand Down
91 changes: 88 additions & 3 deletions api/v1beta2/awscluster_webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,19 @@ func TestAWSClusterValidateCreate(t *testing.T) {
},
wantErr: false,
},
{
name: "rejects ipamPool if id or name not set",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
VPC: VPCSpec{
IPAMPool: &IPAMPool{},
},
},
},
},
wantErr: true,
},
{
name: "rejects cidrBlock and ipamPool if set together",
cluster: &AWSCluster{
Expand All @@ -350,18 +363,90 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: true,
},
{
name: "rejects ipamPool if id or name not set",
name: "accepts CP ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
VPC: VPCSpec{
IPAMPool: &IPAMPool{},
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
{
name: "rejects CP ingress rules with cidr block and source security group id",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
},
},
},
},
},
wantErr: true,
},
{
name: "rejects CP ingress rules with cidr block and source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
IPv6CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: true,
},
{
name: "accepts CP ingress rules with cidr block",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts CP ingress rules with source security group id and role",
alexander-demicev marked this conversation as resolved.
Show resolved Hide resolved
cluster: &AWSCluster{
Spec: AWSClusterSpec{
NetworkSpec: NetworkSpec{
AdditionalControlPlaneIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta2/network_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,10 @@ type NetworkSpec struct {
// This is optional - if not provided new security groups will be created for the cluster
// +optional
SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`

// AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane
// +optional
AdditionalControlPlaneIngressRules []IngressRule `json:"additionalControlPlaneIngressRules,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is this different from AWSLoadBalancerSpec.IngressRules?
You mention in the PR desc it was a mistake but it seems we are keeping it?

}

// IPv6 contains ipv6 specific settings for the network.
Expand Down
7 changes: 7 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

144 changes: 144 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,78 @@ spec:
network:
description: NetworkSpec encapsulates all things related to AWS network.
properties:
additionalControlPlaneIngressRules:
description: AdditionalControlPlaneIngressRules is an optional
set of ingress rules to add to the control plane
items:
description: IngressRule defines an AWS ingress rule for security
groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot
be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about
the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from.
Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: The security group role to allow access from.
Cannot be specified with CidrBlocks. The field will be
combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role
of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down Expand Up @@ -1852,6 +1924,78 @@ spec:
network:
description: NetworkSpec encapsulates all things related to AWS network.
properties:
additionalControlPlaneIngressRules:
description: AdditionalControlPlaneIngressRules is an optional
set of ingress rules to add to the control plane
items:
description: IngressRule defines an AWS ingress rule for security
groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot
be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about
the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from.
Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: The security group role to allow access from.
Cannot be specified with CidrBlocks. The field will be
combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role
of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
Loading