Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 fix(securitygroups): Lookup unmanaged NAT Gateway IPs, so provider doesn't add 0.0.0.0/0 SG rule. #5198

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🐛 fix(securitygroups): Lookup unmanaged NAT Gateway IPs, so provider doesn't add 0.0.0.0/0 SG rule. #5198

wants to merge 1 commit into from

Conversation

sl1pm4t
Copy link

@sl1pm4t sl1pm4t commented Nov 1, 2024
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

This fixes an issue that caused the provider to add a security group rule allowing all addresses (0.0.0.0/0) access to the workload cluster API Server, if a cluster was created on an unmanaged VPC. The rule would be added even if the user had provided a list of source address in spec.controlPlaneLoadBalancer.ingressRules.

The rule was being added so the kubelets could reach the API, but 0.0.0.0/0 was a fall back source if the NAT Gateway IPs were not (yet) known. Prior to this PR, In the case of unmanaged VPC, the NAT Gateways IPs were never retrieved so getIngressRulesToAllowKubeletToAccessTheControlPlaneLB() in securitygroups.go would always fall back to using 0.0.0.0/0.

Which issue(s) this PR fixes :
Fixes #5196

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • includes emojis
  • adds unit tests
  • adds or updates e2e tests

Release note:

Action Required: If deploying clusters to an existing VPC (not managed by the AWS provider), the provider will no longer automatically create a security group rule allowing traffic from all addresses (`0.0.0.0/0`). You may need to update `AWSCluster.spec.controlPlaneLoadBalancer.ingressRules` with the source address of your Management Cluster.

@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 1, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from nrb November 1, 2024 20:27
@k8s-ci-robot k8s-ci-robot added needs-priority needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 1, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @sl1pm4t. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sl1pm4t sl1pm4t changed the title 🐛 fix(securitygroups): Don't add 0.0.0.0/0 SG rule when using unmanaged VPC. 🐛 fix(securitygroups): Lookup unmanaged NAT Gateway IPs, so provider doesn't add 0.0.0.0/0 SG rule. Nov 1, 2024
@richardcase
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 1, 2024
@sl1pm4t
Copy link
Author

sl1pm4t commented Nov 3, 2024

/retest

@richardcase
Copy link
Member

/test ?

@k8s-ci-robot
Copy link
Contributor

@richardcase: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-build-docker
  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-provider-aws-apidiff-main
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-blocking
  • /test pull-cluster-api-provider-aws-e2e-clusterclass
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e-eks
  • /test pull-cluster-api-provider-aws-e2e-eks-gc
  • /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-provider-aws-apidiff-main
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-build-docker
  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

@sl1pm4t
Copy link
Author

sl1pm4t commented Nov 4, 2024

/retest

@sl1pm4t
Copy link
Author

sl1pm4t commented Nov 6, 2024

/test pull-cluster-api-provider-aws-e2e

@sl1pm4t
Copy link
Author

sl1pm4t commented Nov 8, 2024

/retest

@k8s-ci-robot
Copy link
Contributor

@sl1pm4t: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-aws-e2e f77078a link false /test pull-cluster-api-provider-aws-e2e
pull-cluster-api-provider-aws-e2e-eks f77078a link false /test pull-cluster-api-provider-aws-e2e-eks

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cnmcavoy cnmcavoy Awaiting requested review from cnmcavoy

@nrb nrb Awaiting requested review from nrb

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. needs-priority ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The provider adds a 0.0.0.0/0 SG rule to Control Plane LB in unmanaged mode.
3 participants
@sl1pm4t @k8s-ci-robot @richardcase