From 80944323f35bb2ba56600b3e0a4bda2f933e099c Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sat, 15 Jul 2023 18:41:39 +0300 Subject: [PATCH] azure: Allow full load balancer access only when public --- pkg/model/azuremodel/network.go | 61 ++++++++++++++++++++------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/pkg/model/azuremodel/network.go b/pkg/model/azuremodel/network.go index 041b8d6740e04..c0b8a19528aa6 100644 --- a/pkg/model/azuremodel/network.go +++ b/pkg/model/azuremodel/network.go @@ -21,6 +21,7 @@ import ( "strconv" "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2022-05-01/network" + "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/wellknownports" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/cloudup/azuretasks" @@ -128,29 +129,43 @@ func (b *NetworkModelBuilder) Build(c *fi.CloudupModelBuilderContext) error { }) } if b.Cluster.UsesNoneDNS() { - // TODO: Limit access to necessary source address prefixes instead of "0.0.0.0/0" and "::/0" - nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{ - Name: fi.PtrTo("AllowKopsController"), - Priority: fi.PtrTo[int32](210), - Access: network.SecurityRuleAccessAllow, - Direction: network.SecurityRuleDirectionInbound, - Protocol: network.SecurityRuleProtocolTCP, - SourceAddressPrefix: fi.PtrTo("0.0.0.0/0"), - SourcePortRange: fi.PtrTo("*"), - DestinationAddressPrefix: fi.PtrTo("*"), - DestinationPortRange: fi.PtrTo(strconv.Itoa(wellknownports.KopsControllerPort)), - }) - nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{ - Name: fi.PtrTo("AllowKopsController_v6"), - Priority: fi.PtrTo[int32](211), - Access: network.SecurityRuleAccessAllow, - Direction: network.SecurityRuleDirectionInbound, - Protocol: network.SecurityRuleProtocolTCP, - SourceAddressPrefix: fi.PtrTo("::/0"), - SourcePortRange: fi.PtrTo("*"), - DestinationAddressPrefix: fi.PtrTo("*"), - DestinationPortRange: fi.PtrTo(strconv.Itoa(wellknownports.KopsControllerPort)), - }) + if b.Cluster.Spec.API.LoadBalancer != nil && b.Cluster.Spec.API.LoadBalancer.Type == kops.LoadBalancerTypeInternal { + nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{ + Name: fi.PtrTo("AllowKopsController"), + Priority: fi.PtrTo[int32](210), + Access: network.SecurityRuleAccessAllow, + Direction: network.SecurityRuleDirectionInbound, + Protocol: network.SecurityRuleProtocolTCP, + SourceAddressPrefix: fi.PtrTo(b.Cluster.Spec.Networking.NetworkCIDR), + SourcePortRange: fi.PtrTo("*"), + DestinationAddressPrefix: fi.PtrTo("*"), + DestinationPortRange: fi.PtrTo(strconv.Itoa(wellknownports.KopsControllerPort)), + }) + } else { + // TODO: Limit access to necessary source address prefixes instead of "0.0.0.0/0" and "::/0" + nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{ + Name: fi.PtrTo("AllowKopsController"), + Priority: fi.PtrTo[int32](210), + Access: network.SecurityRuleAccessAllow, + Direction: network.SecurityRuleDirectionInbound, + Protocol: network.SecurityRuleProtocolTCP, + SourceAddressPrefix: fi.PtrTo("0.0.0.0/0"), + SourcePortRange: fi.PtrTo("*"), + DestinationAddressPrefix: fi.PtrTo("*"), + DestinationPortRange: fi.PtrTo(strconv.Itoa(wellknownports.KopsControllerPort)), + }) + nsgTask.SecurityRules = append(nsgTask.SecurityRules, &azuretasks.NetworkSecurityRule{ + Name: fi.PtrTo("AllowKopsController_v6"), + Priority: fi.PtrTo[int32](211), + Access: network.SecurityRuleAccessAllow, + Direction: network.SecurityRuleDirectionInbound, + Protocol: network.SecurityRuleProtocolTCP, + SourceAddressPrefix: fi.PtrTo("::/0"), + SourcePortRange: fi.PtrTo("*"), + DestinationAddressPrefix: fi.PtrTo("*"), + DestinationPortRange: fi.PtrTo(strconv.Itoa(wellknownports.KopsControllerPort)), + }) + } } var nodePortAccessIPv4, nodePortAccessIPv6 []string for _, cidr := range b.Cluster.Spec.NodePortAccess {