Merge pull request kubernetes-sigs#3028 from spectrocloud/disable-bas…

…tion-sg EKS: disable bastion sg when bastion is disabled
databricks · Dec 14, 2021 · ff3cbcb · ff3cbcb
2 parents de0fb7c + 5b5510e
commit ff3cbcb
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/controlplane/eks/controllers/awsmanagedcontrolplane_controller.go b/controlplane/eks/controllers/awsmanagedcontrolplane_controller.go
@@ -59,7 +59,6 @@ const (
 
 var (
 	eksSecurityGroupRoles = []infrav1.SecurityGroupRole{
-		infrav1.SecurityGroupBastion,
 		infrav1.SecurityGroupEKSNodeAdditional,
 	}
 )
@@ -203,6 +202,10 @@ func (r *AWSManagedControlPlaneReconciler) reconcileNormal(ctx context.Context,
 		return ctrl.Result{}, err
 	}
 
+	if awsManagedControlPlane.Spec.Bastion.Enabled {
+		eksSecurityGroupRoles = append(eksSecurityGroupRoles, infrav1.SecurityGroupBastion)
+	}
+
 	ec2Service := ec2.NewService(managedScope)
 	networkSvc := network.NewService(managedScope)
 	ekssvc := eks.NewService(managedScope)

diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -483,7 +483,6 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 		}, nil
 	case infrav1.SecurityGroupControlPlane:
 		rules := infrav1.IngressRules{
-			s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID),
 			{
 				Description: "Kubernetes API",
 				Protocol:    infrav1.SecurityGroupProtocolTCP,
@@ -510,11 +509,13 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 				SourceSecurityGroupIDs: []string{s.scope.SecurityGroups()[infrav1.SecurityGroupControlPlane].ID},
 			},
 		}
+		if s.scope.Bastion().Enabled {
+			rules = append(rules, s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID))
+		}
 		return append(cniRules, rules...), nil
 
 	case infrav1.SecurityGroupNode:
 		rules := infrav1.IngressRules{
-			s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID),
 			{
 				Description: "Node Port Services",
 				Protocol:    infrav1.SecurityGroupProtocolTCP,
@@ -534,11 +535,17 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 				},
 			},
 		}
+		if s.scope.Bastion().Enabled {
+			rules = append(rules, s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID))
+		}
 		return append(cniRules, rules...), nil
 	case infrav1.SecurityGroupEKSNodeAdditional:
-		return infrav1.IngressRules{
-			s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID),
-		}, nil
+		if s.scope.Bastion().Enabled {
+			return infrav1.IngressRules{
+				s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID),
+			}, nil
+		}
+		return infrav1.IngressRules{}, nil
 	case infrav1.SecurityGroupAPIServerLB:
 		return infrav1.IngressRules{
 			{