Merge pull request kubernetes#16006 from hakman/aws_fix_dns-none

aws: Attach security group to NLBs for kops-controller
johngmyers · Oct 8, 2023 · 614efad · 614efad
2 parents d2b789d + e1caa8a
commit 614efad
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go
@@ -449,6 +449,24 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 		}
 	}
 
+	if b.Cluster.UsesNoneDNS() {
+		nodeGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleNode)
+		if err != nil {
+			return err
+		}
+
+		for _, nodeGroup := range nodeGroups {
+			suffix := nodeGroup.Suffix
+			t := &awstasks.SecurityGroupRule{
+				Name:          fi.PtrTo(fmt.Sprintf("node%s-to-elb", suffix)),
+				Lifecycle:     b.SecurityLifecycle,
+				SecurityGroup: lbSG,
+				SourceGroup:   nodeGroup.Task,
+			}
+			c.AddTask(t)
+		}
+	}
+
 	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane)
 	if err != nil {
 		return err
@@ -517,6 +535,17 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				SourceGroup:   masterGroup.Task,
 				ToPort:        fi.PtrTo(int64(4)),
 			})
+			if b.Cluster.UsesNoneDNS() {
+				c.AddTask(&awstasks.SecurityGroupRule{
+					Name:          fi.PtrTo(fmt.Sprintf("kops-controller-elb-to-cp%s", suffix)),
+					Lifecycle:     b.SecurityLifecycle,
+					FromPort:      fi.PtrTo(int64(wellknownports.KopsControllerPort)),
+					Protocol:      fi.PtrTo("tcp"),
+					SecurityGroup: masterGroup.Task,
+					ToPort:        fi.PtrTo(int64(wellknownports.KopsControllerPort)),
+					SourceGroup:   lbSG,
+				})
+			}
 		}
 	}
 

diff --git a/pkg/model/awsmodel/firewall.go b/pkg/model/awsmodel/firewall.go
@@ -315,6 +315,7 @@ func (b *AWSModelContext) GetSecurityGroups(role kops.InstanceGroupRole) ([]Secu
 				"port=443",  // k8s api
 				"port=2380", // etcd main peer
 				"port=2381", // etcd events peer
+				"port=3988", // kops-controller
 				"port=4001", // etcd main
 				"port=4002", // etcd events
 				"port=4789", // VXLAN

diff --git a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf
@@ -1063,6 +1063,24 @@ resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" {
   type              = "ingress"
 }
 
+resource "aws_security_group_rule" "kops-controller-elb-to-cp" {
+  from_port                = 3988
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.masters-minimal-example-com.id
+  source_security_group_id = aws_security_group.api-elb-minimal-example-com.id
+  to_port                  = 3988
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "node-to-elb" {
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.api-elb-minimal-example-com.id
+  source_security_group_id = aws_security_group.nodes-minimal-example-com.id
+  to_port                  = 0
+  type                     = "ingress"
+}
+
 resource "aws_sqs_queue" "minimal-example-com-nth" {
   message_retention_seconds = 300
   name                      = "minimal-example-com-nth"