azure: Add support for dns=none #15627
Conversation
k8s-ci-robot
added
cncf-cla: yes
| @@ -30,84 +30,6 @@ func TestPrecreateDNSNames(t *testing.T) { | |||
| cluster *kops.Cluster | |||
| expected []recordKey | |||
| }{ | |||
| { | |||
There was a problem hiding this comment.
Azure doesn't do any DNS operations, so these test cases are useless.
| @@ -1321,7 +1321,7 @@ func setupDNSTopology(opt *NewClusterOptions, cluster *api.Cluster) error { | |||
| switch strings.ToLower(opt.DNSType) { | |||
| case "": | |||
| switch cluster.Spec.GetCloudProvider() { | |||
| case api.CloudProviderHetzner, api.CloudProviderDO: | |||
| case api.CloudProviderHetzner, api.CloudProviderDO, api.CloudProviderAzure: | |||
There was a problem hiding this comment.
We should move most, if not all cloud providers to dns=none soon.
Gossip is a much worse choice and Public DNS is only available on a few cloud providers.
| @@ -151,6 +179,7 @@ func (*LoadBalancer) RenderAzure(t *azure.AzureAPITarget, a, e, changes *LoadBal | |||
| ID: to.StringPtr(fmt.Sprintf("/%s/virtualNetworks/%s/subnets/%s", idPrefix, *e.Subnet.VirtualNetwork.Name, *e.Subnet.Name)), | |||
| } | |||
| } | |||
| // TODO: Move hardcoded values to the model | |||
There was a problem hiding this comment.
Almost everything about LB is hardcoded. We should move this to model soon. For now it is good enough.
| @@ -24,7 +24,7 @@ import ( | |||
|
|
|||
| // UseKopsControllerForNodeBootstrap is true if nodeup should use kops-controller for bootstrapping. | |||
| func UseKopsControllerForNodeBootstrap(cloudProvider kops.CloudProviderID) bool { | |||
| return cloudProvider != kops.CloudProviderAzure | |||
| return true | |||
There was a problem hiding this comment.
I'll take on removing the dead code this leaves behind.
| }, nil | ||
| } | ||
|
|
||
| func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte, useInstanceIDForNodeName bool) (*bootstrap.VerifyResult, error) { |
There was a problem hiding this comment.
This doesn't validate that the VM should actually be allowed to join the cluster, it seems to accept a token from any VM in the resource group. For comparison, the AWS verifier checks that the assumed role in the GetCallerIdentity response matches an IAM role used by any of the cluster's instance groups.
Can we do something similar here?
There was a problem hiding this comment.
True. It checks at least to be in same resource group. Will check to see if I can lock down things more here.
There was a problem hiding this comment.
There may be a more secure solution by using the attested data, though will be something for the future.
For now I added the VM ID, which should be pretty hard to guess without access to the resource group.
https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#attested-data
There was a problem hiding this comment.
Can we verify the VM's VMSS is of a known kOps InstanceGroup?
There was a problem hiding this comment.
That should be checked further along in the process. This is why we set result.InstanceGroupName.
There was a problem hiding this comment.
It may be safer to take the IG name from the VMSS name, instead of the tag. WDYT?
k8s-ci-robot
added
size/L
|
/retest |
k8s-ci-robot
added
size/XL
k8s-ci-robot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
I'm fine with the security improvements happening in a follow up |
k8s-ci-robot
removed
the
do-not-merge/hold
/cc @justinsb
/assign @justinsb
/kind office-hours