Azure: Add network security group rules (testing)

openshift · Apr 11, 2024 · 9d2d661 · 9d2d661
1 parent c73ed51
commit 9d2d661
Showing 1 changed file with 153 additions and 2 deletions.
diff --git a/pkg/asset/manifests/azure/cluster.go b/pkg/asset/manifests/azure/cluster.go
@@ -6,6 +6,7 @@ import (
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 
 	"github.com/openshift/installer/pkg/asset"
@@ -79,21 +80,171 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 				Subnets: capz.Subnets{
 					{
 						SubnetClassSpec: capz.SubnetClassSpec{
-							Name: "control-plane-subnet",
+							Name: fmt.Sprintf("%s-master-subnet", clusterID.InfraID),
 							Role: capz.SubnetControlPlane,
 							CIDRBlocks: []string{
 								subnets[0].String(),
 							},
 						},
+						SecurityGroup: capz.SecurityGroup{
+							Name: fmt.Sprintf("%s-master-nsg", clusterID.InfraID),
+							SecurityGroupClass: capz.SecurityGroupClass{
+								SecurityRules: []capz.SecurityRule{
+									{
+										Name:             "everything",
+										Protocol:         capz.SecurityGroupProtocolTCP,
+										Direction:        capz.SecurityRuleDirectionInbound,
+										Priority:         100,
+										SourcePorts:      ptr.To("*"),
+										DestinationPorts: ptr.To("*"),
+										Source:           ptr.To("*"),
+										Destination:      ptr.To("*"),
+										Action:           capz.SecurityRuleActionAllow,
+									},
+									/*
+										{
+											Name:             "apiserver_in",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         101,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("6443"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "ignition",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         102,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("22623"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "ssh",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         103,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("22"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "http",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         104,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("80"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "https",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         105,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("443"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+									*/
+								},
+							},
+						},
 					},
 					{
 						SubnetClassSpec: capz.SubnetClassSpec{
-							Name: "worker-subnet",
+							Name: fmt.Sprintf("%s-worker-subnet", clusterID.InfraID),
 							Role: capz.SubnetNode,
 							CIDRBlocks: []string{
 								subnets[1].String(),
 							},
 						},
+						SecurityGroup: capz.SecurityGroup{
+							Name: fmt.Sprintf("%s-worker-nsg", clusterID.InfraID),
+							SecurityGroupClass: capz.SecurityGroupClass{
+								SecurityRules: []capz.SecurityRule{
+									{
+										Name:             "everything",
+										Protocol:         capz.SecurityGroupProtocolTCP,
+										Direction:        capz.SecurityRuleDirectionInbound,
+										Priority:         100,
+										SourcePorts:      ptr.To("*"),
+										DestinationPorts: ptr.To("*"),
+										Source:           ptr.To("*"),
+										Destination:      ptr.To("*"),
+										Action:           capz.SecurityRuleActionAllow,
+									},
+									/*
+										{
+											Name:             "apiserver_in",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         101,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("6443"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "ignition",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         102,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("22623"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "ssh",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         103,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("22"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "http",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         104,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("80"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+										{
+											Name:             "https",
+											Protocol:         capz.SecurityGroupProtocolTCP,
+											Direction:        capz.SecurityRuleDirectionInbound,
+											Priority:         105,
+											SourcePorts:      ptr.To("*"),
+											DestinationPorts: ptr.To("443"),
+											Source:           ptr.To("*"),
+											Destination:      ptr.To("*"),
+											Action:           capz.SecurityRuleActionAllow,
+										},
+									*/
+								},
+							},
+						},
 					},
 				},
 			},