From b5de18d22bb65535cd80b4807312c66d7e785ec4 Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Thu, 30 Jan 2025 14:40:27 +0100 Subject: [PATCH] Support additional security group ingress rules for all nodes (#282) --- CHANGELOG.md | 4 ++ ...lplanes.controlplane.cluster.x-k8s.io.yaml | 67 +++++++++++++++++++ ...lplanes.controlplane.cluster.x-k8s.io.yaml | 67 +++++++++++++++++++ ...sters.infrastructure.cluster.x-k8s.io.yaml | 67 +++++++++++++++++++ ...lates.infrastructure.cluster.x-k8s.io.yaml | 67 +++++++++++++++++++ helm/cluster-api-provider-aws/values.yaml | 3 +- 6 files changed, 274 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc7a0a6..f5162c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Support additional security group ingress rules for all nodes. + ### Fixed - Only manage security groups for ENIs tagged by CAPA. diff --git a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml index a1753bc..3aad7d2 100644 --- a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -373,6 +373,73 @@ - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: diff --git a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml index 91c29a5..8c9f643 100644 --- a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -364,6 +364,73 @@ - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml index bc429cb..05f96e1 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml @@ -460,6 +460,73 @@ - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml index 8bffeaf..19ace72 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml @@ -490,6 +490,73 @@ - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: diff --git a/helm/cluster-api-provider-aws/values.yaml b/helm/cluster-api-provider-aws/values.yaml index ed8e0ce..894c093 100644 --- a/helm/cluster-api-provider-aws/values.yaml +++ b/helm/cluster-api-provider-aws/values.yaml @@ -11,7 +11,8 @@ name: cluster-api-provider-aws # * Support EC2 lifecycle hooks for machine pools (https://github.com/giantswarm/cluster-api-provider-aws/pull/613) # * Tags defined in subnet spec should be applied (https://github.com/giantswarm/cluster-api-provider-aws/pull/615) # * Only manage security groups for ENIs tagged by CAPA (https://github.com/giantswarm/cluster-api-provider-aws/pull/616) -tag: v2.7.1-gs-ef95bc532 +# * Support additional security group ingress rules for all nodes (https://github.com/giantswarm/cluster-api-provider-aws/pull/617) +tag: v2.7.1-gs-23310a1d6 registry: domain: gsoci.azurecr.io