Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud/azure: make icmp_allow_all rule ICMP-only #12559

Merged
merged 1 commit into from
Aug 15, 2023
Merged

cloud/azure: make icmp_allow_all rule ICMP-only #12559

merged 1 commit into from
Aug 15, 2023

Conversation

embik
Copy link
Member

@embik embik commented Aug 15, 2023
edited

What this PR does / why we need it:
Historically, KKP created an Azure NSG that had a workaround/hack in place to only allow IMCP traffic:

// Alright, so here's the deal. We need to allow ICMP, but on Azure it is not possible
// to specify ICMP as a protocol in a rule - only TCP or UDP.
// Therefore we're hacking around it by first blocking all incoming TCP and UDP
// and if these don't match, we have an "allow all" rule. Dirty, but the only way.
// See also: https://tinyurl.com/azure-allow-icmp

This has been in the code forever, the link goes to a 2015 page, and in the mean time Azure has introduced ICMP as protocol for NSG rules. So this PR does the following things:

  • Changes the icmp_allow_all rule to actually only allow IMCP as protocol
  • Move the icmp_allow_all rule before the TCP and UDP deny-all rules in priority

Because Azure is implemented as reconciling provider, this change will be applied to existing clusters as well.

Which issue(s) this PR fixes:

Fixes #

What type of PR is this?
/kind cleanup

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

The `icmp_allow_all` rule of the Azure NSG created for each cluster now only allows ICMP and takes precedence over the TCP and UDP catch-all rules that were guarding it

Documentation:

NONE

@embik
cloud/azure: make icmp_allow_all rule ICMP-only
6e11baf 
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
@embik embik requested a review from kron4eg August 15, 2023 14:26
@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. docs/none Denotes a PR that doesn't need documentation (changes). kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. labels Aug 15, 2023
@embik
Copy link
Member Author

embik commented Aug 15, 2023

/test pre-kubermatic-e2e-azure-ubuntu-1.27

@kron4eg
Copy link
Member

kron4eg commented Aug 15, 2023

/approve
/lgtm

@kubermatic-bot kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2023
@kubermatic-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: ad1514db5baef5057b95e6829d9cc07afe4c3e14

@kubermatic-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: embik, kron4eg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot kubermatic-bot merged commit 8dd2789 into kubermatic:main Aug 15, 2023
21 checks passed
@kubermatic-bot kubermatic-bot added this to the KKP 2.24 milestone Aug 15, 2023
@embik embik mentioned this pull request Aug 16, 2023
Merged
@embik embik deleted the azure-icmp-allow-rule branch October 20, 2023 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kron4eg kron4eg Awaiting requested review from kron4eg

Assignees

@kron4eg kron4eg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. docs/none Denotes a PR that doesn't need documentation (changes). kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
KKP 2.24
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@embik @kron4eg @kubermatic-bot