Allow PrefixList for sshAccess and kubernetesApiAccess

[hierynomus]

Signed-off-by: Jeroen van Erp jeroen@hierynomus.com

[k8s-ci-robot]

Hi @hierynomus. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rifelpet]

/ok-to-test

[rifelpet]

kops' cloudmock packages will need to be updated to recognize the new prefix list field. All of the changes needed should be in here

[hierynomus]

Thanks for the pointer @rifelpet. Awaiting new build results now ;)

[hierynomus]

Should we (can we) add validation that the PrefixListID is actually valid by interrogating AWS, or don't we do that during validation?

[johngmyers]

Shouldn't this only be allowed if the cloudprovider is AWS?

[hierynomus]

@rifelpet Another question: Should we also add the PrefixList for the "ICMP for PMTU discovery" block? See:

kops/pkg/model/awsmodel/api_loadbalancer.go

Lines 379 to 381 in 7e64518

	// Allow ICMP traffic required for PMTU discovery
	if utils.IsIPv6CIDR(cidr) {
	c.AddTask(&awstasks.SecurityGroupRule{

If so, what should be the FromPort and ToPort?

[hierynomus]

/retest

[johngmyers]

Perhaps modify one of the IPv6 e2e tests to use this?

[johngmyers]

Shouldn't this only be allowed if the cloudprovider is AWS?

[johngmyers]

Perhaps make this a receiver on awstasks.SecurityGroupRule? Perhaps call it SetPrefix()?

[hierynomus]

I've added that as SetCidrOrPrefix, as I thought that SetPrefix wasn't fully covering the functionality.

[johngmyers]

My thinking was that a CIDR specifies a prefix. A "pl-" string is a prefix list. Both CIDR and PrefixList specify the subset of the address space that the SGR applies to.

I suppose "Prefix" is incorrectly singular when applied to prefix lists. I'm trying to find a good term to express the concept of the subset of address space.

[hierynomus]

Yes agreed, basically either limit the ingress to certain address(blocks).

So that's why I initially chose LimitIngress

[johngmyers]

Except a security group rule can be for egress instead.

[johngmyers]

As to ICMP/ICMPv6, you would need to query whether the prefix list in question contains IPv4 or IPv6 addresses, then add the appropriate rule. Per AWS documentation, a prefix list may contain only one address family.

[hierynomus]

As to ICMP/ICMPv6, you would need to query whether the prefix list in question contains IPv4 or IPv6 addresses, then add the appropriate rule. Per AWS documentation, a prefix list may contain only one address family.

I've added this functionality, by passing the fi.Cloud.(awsup.AWSCloud) into the builder struct. Feel free to suggest a better way to obtain the AWS API.

I've kept the commit separate for now to ease the review process, I will squash it once you've OK'ed the implementation 😄

[hierynomus]

Any ideas already @johngmyers on the naming of the method? Furthermore besides that, is there anything else needed? I've updated the complexe2e test to include 2 prefix lists (1 ipv4, 1 ipv6), which other e2e test needs something extra?

[johngmyers]

Sorry, I haven't been able to get back to this due to the large review backlog.

[hierynomus]

Hi @johngmyers Did you have any chance to come back to this PR again?

[hakman]

Hi @hierynomus. I did a first pass of the PR.
There are mostly small changes from my point of view, but would like to not do cloud calls in model.

[hakman]

I don't think model should check the kind of prefix with AWS. I would rather skip the ICMP rules for prefixes, for now.

As a curiosity, any idea what happens if you set IPv4 PrefixList to ICMPv6 protocol or IPV6 PrefixList to ICMPv4 protocol?

[hierynomus]

Just tried that out, AWS does allow to configure it like that, but not sure what the net effect is. I added a ICMPv4 inbound rule with an IPv6 type PrefixList, and the console accepted and created that.

[hakman]

So, let's skip this for now, to get it into 1.23 before the release. We can try later to add the ICMP rules and see what happens.

[hierynomus]

I'm not sure what the effect would be of not rendering ICMP rules when a prefix list is in use? I took the approach of querying the AWS API from the IAM model, where that was already used, so I figured that was allowed ;).

Are you sure we can skip them?

[hakman]

It is required for Path MTU Discovery.
I am sure I don't want to call the cloud for this. 😄

[hakman]

Great. Would you mind also squashing the commits before merging the PR?

[hierynomus]

Great. Would you mind also squashing the commits before merging the PR?

Sure, will do that now!

[hakman]

Looks great. Thanks for taking the time to add this feature!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment