From 450538671c517b9bd8f453d10fc48e859512a86e Mon Sep 17 00:00:00 2001 From: Prajyot-Parab Date: Wed, 22 Mar 2023 00:04:43 +0530 Subject: [PATCH] Fix inbound rule to allow only APIServerPort Signed-off-by: Prajyot-Parab --- cloud/scope/cluster.go | 4 +++- cloud/scope/machine.go | 8 ++++++++ controllers/ibmvpcmachine_controller.go | 2 +- controllers/ibmvpcmachine_controller_test.go | 1 + 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/cloud/scope/cluster.go b/cloud/scope/cluster.go index a9dd0d85f..5f0b322d9 100644 --- a/cloud/scope/cluster.go +++ b/cloud/scope/cluster.go @@ -186,8 +186,10 @@ func (s *ClusterScope) updateDefaultSG(sgID string) error { options.SetSecurityGroupID(sgID) options.SetSecurityGroupRulePrototype(&vpcv1.SecurityGroupRulePrototype{ Direction: core.StringPtr("inbound"), - Protocol: core.StringPtr("all"), + Protocol: core.StringPtr("tcp"), IPVersion: core.StringPtr("ipv4"), + PortMin: core.Int64Ptr(int64(s.APIServerPort())), + PortMax: core.Int64Ptr(int64(s.APIServerPort())), }) _, _, err := s.IBMVPCClient.CreateSecurityGroupRule(options) if err != nil { diff --git a/cloud/scope/machine.go b/cloud/scope/machine.go index d7cdeb5fb..19fc38514 100644 --- a/cloud/scope/machine.go +++ b/cloud/scope/machine.go @@ -522,3 +522,11 @@ func (m *MachineScope) SetProviderID(id *string) error { } return nil } + +// APIServerPort returns the APIServerPort. +func (m *MachineScope) APIServerPort() int32 { + if m.Cluster.Spec.ClusterNetwork != nil && m.Cluster.Spec.ClusterNetwork.APIServerPort != nil { + return *m.Cluster.Spec.ClusterNetwork.APIServerPort + } + return 6443 +} diff --git a/controllers/ibmvpcmachine_controller.go b/controllers/ibmvpcmachine_controller.go index bf18b783b..389aeca7f 100644 --- a/controllers/ibmvpcmachine_controller.go +++ b/controllers/ibmvpcmachine_controller.go @@ -190,7 +190,7 @@ func (r *IBMVPCMachineReconciler) reconcileNormal(machineScope *scope.MachineSco return ctrl.Result{}, fmt.Errorf("invalid primary ip address") } internalIP := instance.PrimaryNetworkInterface.PrimaryIP.Address - port := int64(6443) + port := int64(machineScope.APIServerPort()) poolMember, err := machineScope.CreateVPCLoadBalancerPoolMember(internalIP, port) if err != nil { return ctrl.Result{}, errors.Wrapf(err, "failed to bind port %d to control plane %s/%s", port, machineScope.IBMVPCMachine.Namespace, machineScope.IBMVPCMachine.Name) diff --git a/controllers/ibmvpcmachine_controller_test.go b/controllers/ibmvpcmachine_controller_test.go index f17a2010e..7ec95659c 100644 --- a/controllers/ibmvpcmachine_controller_test.go +++ b/controllers/ibmvpcmachine_controller_test.go @@ -356,6 +356,7 @@ func TestIBMVPCMachineLBReconciler_reconcile(t *testing.T) { }, }, }, + Cluster: &capiv1beta1.Cluster{}, IBMVPCClient: mockvpc, } return gomock.NewController(t), mockvpc, machineScope, reconciler