Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow AWS Prefix Lists for sshAccess and kubernetesApiAccess #12925

Closed
mcbanderson opened this issue Dec 10, 2021 · 4 comments
Closed

Allow AWS Prefix Lists for sshAccess and kubernetesApiAccess #12925

mcbanderson opened this issue Dec 10, 2021 · 4 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@mcbanderson
Copy link

/kind feature

1. Describe IN DETAIL the feature/behavior/change you would like to see.

AWS provides prefix lists as a mechanism for managing security group rules and route tables. These prefix lists can be used in security group rules in place of a CIDR and AWS will automatically handle all CIDRs in the list with only one security group rule.

We would like to be able to utilize these prefix lists for sshAccess and kubernetesApiAccess in our cluster spec to simplify security group management and avoid hitting AWS' hard limit on the number of security group rules.

2. Feel free to provide a design supporting your feature request.

From a user interface standpoint we would simply like to see kops allow the prefix list id (name would also be acceptable, but that might be more complicated to implement) in the pertinent parts of the cluster spec and then create the inbound security group rules with the prefix list instead of the CIDR.

spec:
  kubernetesApiAccess:
    - 12.34.56.78/32
    - pl-abc123
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 10, 2021
@rifelpet
Copy link
Member

rifelpet commented Dec 10, 2021
edited

This sounds reasonable and should be pretty straight forward. If anyone wants to implement this, it should just involve:

  • Adding a PrefixList field to the SecurityGroupRule task here, adding similar logic throughout that file as the existing CIDR and IPv6CIDR fields.
  • Update references to KubernetesAPIAccess (1, 2, 3, and similar for SSHAccess and AdminAccess) to check for a pl- prefix on the list element, conditionally using the field in the SecurityGroupRule task's PrefixList field.
  • Add example prefix lists to the cluster specs in the in-*.yaml files in the integration test here and run ./hack/update-expected.sh to confirm the generated terraform and cloudformation outputs change.

@rifelpet rifelpet added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Dec 10, 2021
@hierynomus
Copy link
Contributor

I'll pick this up, expect a PR somewhere next week.

@hierynomus
Copy link
Contributor

With the merge of #13113, this issue can be closed I think @hakman

@hakman
Copy link
Member

hakman commented Feb 15, 2022

With the merge of #13113, this issue can be closed I think @hakman

I think so. Should be available in kOps 1.23. Thanks again @hierynomus!

@hakman hakman closed this as completed Feb 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hierynomus @rifelpet @hakman @mcbanderson @k8s-ci-robot