Fix inbound rule to allow only APIServerPort

Signed-off-by: Prajyot-Parab <[email protected]>

cloud/scope/cluster.go

@@ -186,8 +186,10 @@ func (s *ClusterScope) updateDefaultSG(sgID string) error {
 	options.SetSecurityGroupID(sgID)
 	options.SetSecurityGroupRulePrototype(&vpcv1.SecurityGroupRulePrototype{
 		Direction: core.StringPtr("inbound"),
-		Protocol:  core.StringPtr("all"),
+		Protocol:  core.StringPtr("tcp"),
 		IPVersion: core.StringPtr("ipv4"),
+		PortMin:   core.Int64Ptr(int64(s.APIServerPort())),
+		PortMax:   core.Int64Ptr(int64(s.APIServerPort())),
 	})
 	_, _, err := s.IBMVPCClient.CreateSecurityGroupRule(options)
 	if err != nil {

cloud/scope/machine.go

@@ -522,3 +522,11 @@ func (m *MachineScope) SetProviderID(id *string) error {
 	}
 	return nil
 }
+
+// APIServerPort returns the APIServerPort.
+func (m *MachineScope) APIServerPort() int32 {
+	if m.Cluster.Spec.ClusterNetwork != nil && m.Cluster.Spec.ClusterNetwork.APIServerPort != nil {
+		return *m.Cluster.Spec.ClusterNetwork.APIServerPort
+	}
+	return 6443
+}

controllers/ibmvpcmachine_controller.go

@@ -190,7 +190,7 @@ func (r *IBMVPCMachineReconciler) reconcileNormal(machineScope *scope.MachineSco
 					return ctrl.Result{}, fmt.Errorf("invalid primary ip address")
 				}
 				internalIP := instance.PrimaryNetworkInterface.PrimaryIP.Address
-				port := int64(6443)
+				port := int64(machineScope.APIServerPort())
 				poolMember, err := machineScope.CreateVPCLoadBalancerPoolMember(internalIP, port)
 				if err != nil {
 					return ctrl.Result{}, errors.Wrapf(err, "failed to bind port %d to control plane %s/%s", port, machineScope.IBMVPCMachine.Namespace, machineScope.IBMVPCMachine.Name)

controllers/ibmvpcmachine_controller_test.go

@@ -356,6 +356,7 @@ func TestIBMVPCMachineLBReconciler_reconcile(t *testing.T) {
 					},
 				},
 			},
+			Cluster:      &capiv1beta1.Cluster{},
 			IBMVPCClient: mockvpc,
 		}
 		return gomock.NewController(t), mockvpc, machineScope, reconciler