Skip to content

Commit

Permalink
Support additional security group ingress rules for all nodes (#282)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fiunchinho
fiunchinho authored Jan 30, 2025
1 parent eb2fa77 commit b5de18d
Show file tree
Hide file tree
Showing 6 changed files with 274 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added

- Support additional security group ingress rules for all nodes.

### Fixed

- Only manage security groups for ENIs tagged by CAPA.
Expand Down
67 changes: 67 additions & 0 deletions ...plane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,73 @@
- toPort
type: object
type: array
additionalNodeIngressRules:
description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node
items:
description: IngressRule defines an AWS ingress rule for security groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
natGatewaysIPsSource:
description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.
type: boolean
protocol:
description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from. Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: |-
The security group role to allow access from. Cannot be specified with CidrBlocks.
The field will be combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
67 changes: 67 additions & 0 deletions ...plane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,73 @@
- toPort
type: object
type: array
additionalNodeIngressRules:
description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node
items:
description: IngressRule defines an AWS ingress rule for security groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
natGatewaysIPsSource:
description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.
type: boolean
protocol:
description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from. Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: |-
The security group role to allow access from. Cannot be specified with CidrBlocks.
The field will be combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
67 changes: 67 additions & 0 deletions .../infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,6 +460,73 @@
- toPort
type: object
type: array
additionalNodeIngressRules:
description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node
items:
description: IngressRule defines an AWS ingress rule for security groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
natGatewaysIPsSource:
description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.
type: boolean
protocol:
description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from. Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: |-
The security group role to allow access from. Cannot be specified with CidrBlocks.
The field will be combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
67 changes: 67 additions & 0 deletions ...ructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,6 +490,73 @@
- toPort
type: object
type: array
additionalNodeIngressRules:
description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node
items:
description: IngressRule defines an AWS ingress rule for security groups.
properties:
cidrBlocks:
description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
description:
description: Description provides extended information about the ingress rule.
type: string
fromPort:
description: FromPort is the start of port range.
format: int64
type: integer
ipv6CidrBlocks:
description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
items:
type: string
type: array
natGatewaysIPsSource:
description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.
type: boolean
protocol:
description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from. Cannot be specified with CidrBlocks.
items:
type: string
type: array
sourceSecurityGroupRoles:
description: |-
The security group role to allow access from. Cannot be specified with CidrBlocks.
The field will be combined with source security group IDs if specified.
items:
description: SecurityGroupRole defines the unique role of a security group.
enum:
- bastion
- node
- controlplane
- apiserver-lb
- lb
- node-eks-additional
type: string
type: array
toPort:
description: ToPort is the end of port range.
format: int64
type: integer
required:
- description
- fromPort
- protocol
- toPort
type: object
type: array
cni:
description: CNI configuration
properties:
Expand Down
3 changes: 2 additions & 1 deletion helm/cluster-api-provider-aws/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ name: cluster-api-provider-aws
# * Support EC2 lifecycle hooks for machine pools (https://github.com/giantswarm/cluster-api-provider-aws/pull/613)
# * Tags defined in subnet spec should be applied (https://github.com/giantswarm/cluster-api-provider-aws/pull/615)
# * Only manage security groups for ENIs tagged by CAPA (https://github.com/giantswarm/cluster-api-provider-aws/pull/616)
tag: v2.7.1-gs-ef95bc532
# * Support additional security group ingress rules for all nodes (https://github.com/giantswarm/cluster-api-provider-aws/pull/617)
tag: v2.7.1-gs-23310a1d6

registry:
domain: gsoci.azurecr.io
Expand Down

0 comments on commit b5de18d

Please sign in to comment.