Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow PrefixList for sshAccess and kubernetesApiAccess #13113

Merged
merged 1 commit into from Feb 15, 2022
Merged

Allow PrefixList for sshAccess and kubernetesApiAccess #13113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
95 changes: 35 additions & 60 deletions cloudmock/aws/mockec2/securitygroups.go
View file
Open in desktop
Expand Up @@ -401,79 +401,54 @@ func (m *MockEC2) AuthorizeSecurityGroupIngress(request *ec2.AuthorizeSecurityGr
m.SecurityGroupRules = make(map[string]*ec2.SecurityGroupRule)
}

for _, permission := range request.IpPermissions {
newSecurityGroupRule := func(permission *ec2.IpPermission) (string, *ec2.SecurityGroupRule) {
n := len(m.SecurityGroupRules) + 1
id := fmt.Sprintf("sgr-%d", n)
rule := &ec2.SecurityGroupRule{
SecurityGroupRuleId: &id,
GroupId: sg.GroupId,
FromPort: permission.FromPort,
ToPort: permission.ToPort,
IsEgress: aws.Bool(false),
IpProtocol: permission.IpProtocol,
Tags: tagSpecificationsToTags(request.TagSpecifications, ec2.ResourceTypeSecurityGroupRule),
}
if permission.FromPort == nil {
rule.FromPort = aws.Int64(int64(-1))
}
if permission.ToPort == nil {
rule.ToPort = aws.Int64(int64(-1))
}

for _, iprange := range permission.IpRanges {
return id, rule
}

n := len(m.SecurityGroupRules) + 1
id := fmt.Sprintf("sgr-%d", n)
rule := &ec2.SecurityGroupRule{
SecurityGroupRuleId: &id,
GroupId: sg.GroupId,
FromPort: permission.FromPort,
ToPort: permission.ToPort,
IsEgress: aws.Bool(false),
CidrIpv4: iprange.CidrIp,
IpProtocol: permission.IpProtocol,
Tags: tagSpecificationsToTags(request.TagSpecifications, ec2.ResourceTypeSecurityGroupRule),
}
if permission.FromPort == nil {
rule.FromPort = aws.Int64(int64(-1))
}
if permission.ToPort == nil {
rule.ToPort = aws.Int64(int64(-1))
}
for _, permission := range request.IpPermissions {

for _, iprange := range permission.IpRanges {
id, rule := newSecurityGroupRule(permission)
rule.CidrIpv4 = iprange.CidrIp
m.SecurityGroupRules[id] = rule
}

for _, iprange := range permission.Ipv6Ranges {
id, rule := newSecurityGroupRule(permission)
rule.CidrIpv6 = iprange.CidrIpv6
m.SecurityGroupRules[id] = rule
}

n := len(m.SecurityGroupRules) + 1
id := fmt.Sprintf("sgr-%d", n)
rule := &ec2.SecurityGroupRule{
SecurityGroupRuleId: &id,
GroupId: sg.GroupId,
FromPort: permission.FromPort,
ToPort: permission.ToPort,
IsEgress: aws.Bool(false),
CidrIpv6: iprange.CidrIpv6,
IpProtocol: permission.IpProtocol,
Tags: tagSpecificationsToTags(request.TagSpecifications, ec2.ResourceTypeSecurityGroupRule),
}
if permission.FromPort == nil {
rule.FromPort = aws.Int64(int64(-1))
}
if permission.ToPort == nil {
rule.ToPort = aws.Int64(int64(-1))
}

for _, prefixListId := range permission.PrefixListIds {
id, rule := newSecurityGroupRule(permission)
rule.PrefixListId = prefixListId.PrefixListId
m.SecurityGroupRules[id] = rule

}

for _, group := range permission.UserIdGroupPairs {

n := len(m.SecurityGroupRules) + 1
id := fmt.Sprintf("sgr-%d", n)
rule := &ec2.SecurityGroupRule{
SecurityGroupRuleId: &id,
GroupId: sg.GroupId,
FromPort: permission.FromPort,
ToPort: permission.ToPort,
IsEgress: aws.Bool(false),
ReferencedGroupInfo: &ec2.ReferencedSecurityGroup{
GroupId: group.GroupId,
},
IpProtocol: permission.IpProtocol,
Tags: tagSpecificationsToTags(request.TagSpecifications, ec2.ResourceTypeSecurityGroupRule),
id, rule := newSecurityGroupRule(permission)
rule.ReferencedGroupInfo = &ec2.ReferencedSecurityGroup{
GroupId: group.GroupId,
}
if permission.FromPort == nil {
rule.FromPort = aws.Int64(int64(-1))
}
if permission.ToPort == nil {
rule.ToPort = aws.Int64(int64(-1))
}

m.SecurityGroupRules[id] = rule
}
}
Expand Down
8 changes: 8 additions & 0 deletions docs/cluster_spec.md
View file
Open in desktop
Expand Up @@ -257,6 +257,10 @@ spec:
- 12.34.56.78/32
```

{{ kops_feature_table(kops_added_default='1.23') }}

In AWS, instead of listing all CIDRs, it is possible to specify a pre-existing [AWS Prefix List](https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html) ID.

## kubernetesApiAccess

This array configures the CIDRs that are able to access the kubernetes API. On AWS this is manifested as inbound security group rules on the ELB or master security groups.
Expand All @@ -269,6 +273,10 @@ spec:
- 12.34.56.78/32
```

{{ kops_feature_table(kops_added_default='1.23') }}

In AWS, instead of listing all CIDRs, it is possible to specify a pre-existing [AWS Prefix List](https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html) ID.

## cluster.spec Subnet Keys

### id
Expand Down
24 changes: 21 additions & 3 deletions pkg/apis/kops/validation/validation.go
View file
Open in desktop
Expand Up @@ -85,17 +85,35 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie

// SSHAccess
for i, cidr := range spec.SSHAccess {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("sshAccess").Index(i))...)
if strings.HasPrefix(cidr, "pl-") {
if kops.CloudProviderID(spec.CloudProvider) != kops.CloudProviderAWS {
hakman marked this conversation as resolved.
Show resolved Hide resolved
allErrs = append(allErrs, field.Invalid(fieldPath.Child("sshAccess").Index(i), cidr, "Prefix List ID only supported for AWS"))
}
} else {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("sshAccess").Index(i))...)
}
}

// KubernetesAPIAccess
for i, cidr := range spec.KubernetesAPIAccess {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("kubernetesAPIAccess").Index(i))...)
if strings.HasPrefix(cidr, "pl-") {
if kops.CloudProviderID(spec.CloudProvider) != kops.CloudProviderAWS {
hakman marked this conversation as resolved.
Show resolved Hide resolved
allErrs = append(allErrs, field.Invalid(fieldPath.Child("kubernetesAPIAccess").Index(i), cidr, "Prefix List ID only supported for AWS"))
}
} else {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("kubernetesAPIAccess").Index(i))...)
}
}

// NodePortAccess
for i, cidr := range spec.NodePortAccess {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("nodePortAccess").Index(i))...)
if strings.HasPrefix(cidr, "pl-") {
if kops.CloudProviderID(spec.CloudProvider) != kops.CloudProviderAWS {
hakman marked this conversation as resolved.
Show resolved Hide resolved
allErrs = append(allErrs, field.Invalid(fieldPath.Child("nodePortAccess").Index(i), cidr, "Prefix List ID only supported for AWS"))
}
} else {
allErrs = append(allErrs, validateCIDR(cidr, fieldPath.Child("nodePortAccess").Index(i))...)
}
}

// AdditionalNetworkCIDRs
Expand Down
40 changes: 17 additions & 23 deletions pkg/model/awsmodel/api_loadbalancer.go
View file
Open in desktop
Expand Up @@ -19,6 +19,7 @@ package awsmodel
import (
"fmt"
"sort"
"strings"
"time"

"k8s.io/apimachinery/pkg/util/sets"
Expand Down Expand Up @@ -368,11 +369,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
SecurityGroup: lbSG,
ToPort: fi.Int64(443),
}
if utils.IsIPv6CIDR(cidr) {
t.IPv6CIDR = fi.String(cidr)
} else {
t.CIDR = fi.String(cidr)
}
t.SetCidrOrPrefix(cidr)
AddDirectionalGroupRule(c, t)
}

Expand Down Expand Up @@ -418,35 +415,36 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
SecurityGroup: masterGroup.Task,
ToPort: fi.Int64(443),
}
if utils.IsIPv6CIDR(cidr) {
t.IPv6CIDR = fi.String(cidr)
} else {
t.CIDR = fi.String(cidr)
}
t.SetCidrOrPrefix(cidr)
AddDirectionalGroupRule(c, t)
}

// Allow ICMP traffic required for PMTU discovery
if utils.IsIPv6CIDR(cidr) {
c.AddTask(&awstasks.SecurityGroupRule{
if strings.HasPrefix(cidr, "pl-") {
// In case of a prefix list we do not add a rule for ICMP traffic for PMTU discovery.
// This would require calling out to AWS to check whether the prefix list is IPv4 or IPv6.
} else if utils.IsIPv6CIDR(cidr) {
// Allow ICMP traffic required for PMTU discovery
t := &awstasks.SecurityGroupRule{
Name: fi.String("icmpv6-pmtu-api-elb-" + cidr),
Lifecycle: b.SecurityLifecycle,
IPv6CIDR: fi.String(cidr),
FromPort: fi.Int64(-1),
Protocol: fi.String("icmpv6"),
SecurityGroup: masterGroup.Task,
ToPort: fi.Int64(-1),
})
}
t.SetCidrOrPrefix(cidr)
c.AddTask(t)
} else {
c.AddTask(&awstasks.SecurityGroupRule{
t := &awstasks.SecurityGroupRule{
Name: fi.String("icmp-pmtu-api-elb-" + cidr),
Lifecycle: b.SecurityLifecycle,
CIDR: fi.String(cidr),
FromPort: fi.Int64(3),
Protocol: fi.String("icmp"),
SecurityGroup: masterGroup.Task,
ToPort: fi.Int64(4),
})
}
t.SetCidrOrPrefix(cidr)
c.AddTask(t)
}

if b.Cluster.Spec.API != nil && b.Cluster.Spec.API.LoadBalancer != nil && b.Cluster.Spec.API.LoadBalancer.SSLCertificate != "" {
Expand All @@ -459,11 +457,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
SecurityGroup: masterGroup.Task,
ToPort: fi.Int64(8443),
}
if utils.IsIPv6CIDR(cidr) {
t.IPv6CIDR = fi.String(cidr)
} else {
t.CIDR = fi.String(cidr)
}
t.SetCidrOrPrefix(cidr)
c.AddTask(t)
}
}
Expand Down
7 changes: 1 addition & 6 deletions pkg/model/awsmodel/bastion.go
View file
Open in desktop
Expand Up @@ -26,7 +26,6 @@ import (
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
"k8s.io/kops/upup/pkg/fi/utils"
)

const (
Expand Down Expand Up @@ -219,11 +218,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(22),
ToPort: fi.Int64(22),
}
if utils.IsIPv6CIDR(sshAccess) {
t.IPv6CIDR = fi.String(sshAccess)
} else {
t.CIDR = fi.String(sshAccess)
}
t.SetCidrOrPrefix(sshAccess)
AddDirectionalGroupRule(c, t)
}

Expand Down
31 changes: 5 additions & 26 deletions pkg/model/awsmodel/external_access.go
View file
Open in desktop
Expand Up @@ -23,7 +23,6 @@ import (
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
"k8s.io/kops/upup/pkg/fi/utils"
)

// ExternalAccessModelBuilder configures security group rules for external access
Expand Down Expand Up @@ -71,11 +70,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(22),
ToPort: fi.Int64(22),
}
if utils.IsIPv6CIDR(sshAccess) {
t.IPv6CIDR = fi.String(sshAccess)
} else {
t.CIDR = fi.String(sshAccess)
}
t.SetCidrOrPrefix(sshAccess)
AddDirectionalGroupRule(c, t)
}

Expand All @@ -89,11 +84,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(22),
ToPort: fi.Int64(22),
}
if utils.IsIPv6CIDR(sshAccess) {
t.IPv6CIDR = fi.String(sshAccess)
} else {
t.CIDR = fi.String(sshAccess)
}
t.SetCidrOrPrefix(sshAccess)
AddDirectionalGroupRule(c, t)
}
}
Expand All @@ -116,11 +107,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(int64(nodePortRange.Base)),
ToPort: fi.Int64(int64(nodePortRange.Base + nodePortRange.Size - 1)),
}
if utils.IsIPv6CIDR(nodePortAccess) {
t.IPv6CIDR = fi.String(nodePortAccess)
} else {
t.CIDR = fi.String(nodePortAccess)
}
t.SetCidrOrPrefix(nodePortAccess)
c.AddTask(t)
}
{
Expand All @@ -132,11 +119,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(int64(nodePortRange.Base)),
ToPort: fi.Int64(int64(nodePortRange.Base + nodePortRange.Size - 1)),
}
if utils.IsIPv6CIDR(nodePortAccess) {
t.IPv6CIDR = fi.String(nodePortAccess)
} else {
t.CIDR = fi.String(nodePortAccess)
}
t.SetCidrOrPrefix(nodePortAccess)
c.AddTask(t)
}
}
Expand All @@ -159,11 +142,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: fi.Int64(443),
ToPort: fi.Int64(443),
}
if utils.IsIPv6CIDR(apiAccess) {
t.IPv6CIDR = fi.String(apiAccess)
} else {
t.CIDR = fi.String(apiAccess)
}
t.SetCidrOrPrefix(apiAccess)
AddDirectionalGroupRule(c, t)
}
}
Expand Down