From 6dd31d968062c6dc075c5c1bc1ba01877c22aaa2 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sat, 7 Oct 2023 15:56:52 +0300 Subject: [PATCH 1/2] aws: Attach security group to NLBs for kops-controller --- pkg/model/awsmodel/api_loadbalancer.go | 29 ++++++++++++++++++++++++++ pkg/model/awsmodel/firewall.go | 1 + 2 files changed, 30 insertions(+) diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index 844b356cc475e..b5158ca6e0ddb 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -449,6 +449,24 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { } } + if b.Cluster.UsesNoneDNS() { + nodeGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleNode) + if err != nil { + return err + } + + for _, nodeGroup := range nodeGroups { + suffix := nodeGroup.Suffix + t := &awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("node%s-to-elb", suffix)), + Lifecycle: b.SecurityLifecycle, + SecurityGroup: lbSG, + SourceGroup: nodeGroup.Task, + } + c.AddTask(t) + } + } + masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane) if err != nil { return err @@ -517,6 +535,17 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { SourceGroup: masterGroup.Task, ToPort: fi.PtrTo(int64(4)), }) + if b.Cluster.UsesNoneDNS() { + c.AddTask(&awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("kops-controller-elb-to-cp%s", suffix)), + Lifecycle: b.SecurityLifecycle, + FromPort: fi.PtrTo(int64(wellknownports.KopsControllerPort)), + Protocol: fi.PtrTo("tcp"), + SecurityGroup: masterGroup.Task, + ToPort: fi.PtrTo(int64(wellknownports.KopsControllerPort)), + SourceGroup: lbSG, + }) + } } } diff --git a/pkg/model/awsmodel/firewall.go b/pkg/model/awsmodel/firewall.go index 5aa6f857ae41b..8b5476439cad3 100644 --- a/pkg/model/awsmodel/firewall.go +++ b/pkg/model/awsmodel/firewall.go @@ -315,6 +315,7 @@ func (b *AWSModelContext) GetSecurityGroups(role kops.InstanceGroupRole) ([]Secu "port=443", // k8s api "port=2380", // etcd main peer "port=2381", // etcd events peer + "port=3988", // kops-controller "port=4001", // etcd main "port=4002", // etcd events "port=4789", // VXLAN From e1caa8aa2baa95596215985b7b5b896cd4cea2be Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sat, 7 Oct 2023 15:57:23 +0300 Subject: [PATCH 2/2] hack/update-expected.sh --- .../minimal-dns-none/kubernetes.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf index df8650e6631d7..8e833de33901d 100644 --- a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf @@ -1063,6 +1063,24 @@ resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { type = "ingress" } +resource "aws_security_group_rule" "kops-controller-elb-to-cp" { + from_port = 3988 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-example-com.id + to_port = 3988 + type = "ingress" +} + +resource "aws_security_group_rule" "node-to-elb" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-example-com.id + source_security_group_id = aws_security_group.nodes-minimal-example-com.id + to_port = 0 + type = "ingress" +} + resource "aws_sqs_queue" "minimal-example-com-nth" { message_retention_seconds = 300 name = "minimal-example-com-nth"