Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityRules should allow user to specify allow/deny rule #3877

Closed
nawazkh opened this issue Aug 23, 2023 · 3 comments · Fixed by #3878
Closed

SecurityRules should allow user to specify allow/deny rule #3877

nawazkh opened this issue Aug 23, 2023 · 3 comments · Fixed by #3878
Assignees
@nawazkh
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
v1.11

Comments

@nawazkh
Copy link
Member

nawazkh commented Aug 23, 2023

/kind feature

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

  • While auditing SecurityRules conversion at Azure/scope, I observed that CAPZ is defaulting on allow-ing a specific rule. Refer to

    cluster-api-provider-azure/azure/converters/rules.go

    Line 35 in 6232f31

    Access: network.SecurityRuleAccessAllow,
  • I wonder if the user should be allowed to specify the "Action" of a SecurityRule.
    • If yes, we should probably update

      cluster-api-provider-azure/api/v1beta1/types.go

      Lines 274 to 300 in 6232f31

      type SecurityRule struct {
      // Name is a unique name within the network security group.
      Name string `json:"name"`
      // A description for this rule. Restricted to 140 chars.
      Description string `json:"description"`
      // Protocol specifies the protocol type. "Tcp", "Udp", "Icmp", or "*".
      // +kubebuilder:validation:Enum=Tcp;Udp;Icmp;*
      Protocol SecurityGroupProtocol `json:"protocol"`
      // Direction indicates whether the rule applies to inbound, or outbound traffic. "Inbound" or "Outbound".
      // +kubebuilder:validation:Enum=Inbound;Outbound
      Direction SecurityRuleDirection `json:"direction"`
      // Priority is a number between 100 and 4096. Each rule should have a unique value for priority. Rules are processed in priority order, with lower numbers processed before higher numbers. Once traffic matches a rule, processing stops.
      // +optional
      Priority int32 `json:"priority,omitempty"`
      // SourcePorts specifies source port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports.
      // +optional
      SourcePorts *string `json:"sourcePorts,omitempty"`
      // DestinationPorts specifies the destination port or range. Integer or range between 0 and 65535. Asterix '*' can also be used to match all ports.
      // +optional
      DestinationPorts *string `json:"destinationPorts,omitempty"`
      // Source specifies the CIDR or source IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.
      // +optional
      Source *string `json:"source,omitempty"`
      // Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.
      // +optional
      Destination *string `json:"destination,omitempty"`
      }
      and other related code to allow user to specify "Action" as well as mentioned in the Azure docs on SecurityGroups.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

  • I may be missing the context on the design decision to allow it by default

    cluster-api-provider-azure/azure/converters/rules.go

    Line 35 in 6232f31

    Access: network.SecurityRuleAccessAllow,
    .
    • If this is an expected behavior and we want to have allow the custom rules specified I will close this issue with the reason specified.

Environment:

  • cluster-api-provider-azure version: v1.10.2
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 23, 2023
@nawazkh
Copy link
Member Author

nawazkh commented Aug 23, 2023

I discovered this as part of auditing #3377.
Self assigning since I have an idea on changes needed to be done in case.
/assign

@nawazkh nawazkh moved this to In Progress in CAPZ Planning Aug 23, 2023
@nawazkh nawazkh mentioned this issue Aug 23, 2023
Merged
4 tasks
@nawazkh
Copy link
Member Author

nawazkh commented Aug 23, 2023

Wanted to get this on your radar @bavarianbidi

@nawazkh nawazkh changed the title SecurityRules should allow user to specify allow/deny a rule. SecurityRules should allow user to specify allow/deny rule Aug 23, 2023
@nawazkh nawazkh added this to the v1.11 milestone Aug 24, 2023
@mboersma
Copy link
Contributor

/priority important-longterm

@k8s-ci-robot k8s-ci-robot added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Aug 24, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in CAPZ Planning Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nawazkh nawazkh

Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
CAPZ Planning
Archived in project
Milestone
v1.11
Development

Successfully merging a pull request may close this issue.

enable users to allow or deny the security rules nawazkh/cluster-api-provider-azure
3 participants
@mboersma @k8s-ci-robot @nawazkh