New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow PrefixList for sshAccess and kubernetesApiAccess #13113
Conversation
Hi @hierynomus. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ae306bc
to
fd72b2f
Compare
/ok-to-test |
fd72b2f
to
401097b
Compare
kops' cloudmock packages will need to be updated to recognize the new prefix list field. All of the changes needed should be in here |
401097b
to
988f720
Compare
Thanks for the pointer @rifelpet. Awaiting new build results now ;) |
988f720
to
55ffb84
Compare
@@ -85,17 +85,23 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie | |||
|
|||
// SSHAccess | |||
for i, cidr := range spec.SSHAccess { | |||
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("sshAccess").Index(i))...) | |||
if !strings.HasPrefix(cidr, "pl-") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we (can we) add validation that the PrefixListID is actually valid by interrogating AWS, or don't we do that during validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this only be allowed if the cloudprovider is AWS?
@rifelpet Another question: Should we also add the PrefixList for the "ICMP for PMTU discovery" block? See: kops/pkg/model/awsmodel/api_loadbalancer.go Lines 379 to 381 in 7e64518
If so, what should be the |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps modify one of the IPv6 e2e tests to use this?
@@ -85,17 +85,23 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie | |||
|
|||
// SSHAccess | |||
for i, cidr := range spec.SSHAccess { | |||
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("sshAccess").Index(i))...) | |||
if !strings.HasPrefix(cidr, "pl-") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this only be allowed if the cloudprovider is AWS?
pkg/model/awsmodel/utils.go
Outdated
return strings.HasPrefix(id, "pl-") | ||
} | ||
|
||
func LimitIngress(t *awstasks.SecurityGroupRule, cidr string) *awstasks.SecurityGroupRule { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps make this a receiver on awstasks.SecurityGroupRule
? Perhaps call it SetPrefix()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added that as SetCidrOrPrefix
, as I thought that SetPrefix
wasn't fully covering the functionality.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking was that a CIDR specifies a prefix. A "pl-" string is a prefix list. Both CIDR and PrefixList specify the subset of the address space that the SGR applies to.
I suppose "Prefix" is incorrectly singular when applied to prefix lists. I'm trying to find a good term to express the concept of the subset of address space.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes agreed, basically either limit the ingress to certain address(blocks).
So that's why I initially chose LimitIngress
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except a security group rule can be for egress instead.
As to ICMP/ICMPv6, you would need to query whether the prefix list in question contains IPv4 or IPv6 addresses, then add the appropriate rule. Per AWS documentation, a prefix list may contain only one address family. |
I've added this functionality, by passing the I've kept the commit separate for now to ease the review process, I will squash it once you've OK'ed the implementation 😄 |
aced1cb
to
c460deb
Compare
c460deb
to
78b28c6
Compare
Any ideas already @johngmyers on the naming of the method? Furthermore besides that, is there anything else needed? I've updated the |
Sorry, I haven't been able to get back to this due to the large review backlog. |
Hi @johngmyers Did you have any chance to come back to this PR again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @hierynomus. I did a first pass of the PR.
There are mostly small changes from my point of view, but would like to not do cloud calls in model.
icmpIpv6 := false | ||
if strings.HasPrefix(cidr, "pl-") { | ||
b, err := b.IsIPv6PrefixList(cidr) | ||
if err != nil { | ||
return err | ||
} | ||
icmpIpv6 = b | ||
} else { | ||
icmpIpv6 = utils.IsIPv6CIDR(cidr) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think model should check the kind of prefix with AWS. I would rather skip the ICMP rules for prefixes, for now.
As a curiosity, any idea what happens if you set IPv4 PrefixList to ICMPv6 protocol or IPV6 PrefixList to ICMPv4 protocol?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just tried that out, AWS does allow to configure it like that, but not sure what the net effect is. I added a ICMPv4 inbound rule with an IPv6 type PrefixList, and the console accepted and created that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, let's skip this for now, to get it into 1.23 before the release. We can try later to add the ICMP rules and see what happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what the effect would be of not rendering ICMP rules when a prefix list is in use? I took the approach of querying the AWS API from the IAM model, where that was already used, so I figured that was allowed ;).
Are you sure we can skip them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is required for Path MTU Discovery.
I am sure I don't want to call the cloud for this. 😄
9e9d53c
to
11c1137
Compare
04be693
to
86a4811
Compare
Great. Would you mind also squashing the commits before merging the PR? |
Sure, will do that now! |
Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
86a4811
to
255a032
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Thanks for taking the time to add this feature!
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…-upstream-release-1.23 Automated cherry pick of #13113: Allow PrefixList for sshAccess and kubernetesApiAccess
Signed-off-by: Jeroen van Erp jeroen@hierynomus.com