🐛 fix(securitygroups): Look up unmanaged NAT Gateway IPs, so provider doesn't add 0.0.0.0/0 SG rule #5198
Conversation
k8s-ci-robot
added
release-note-action-required
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
needs-priority
needs-ok-to-test
|
Hi @sl1pm4t. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
sl1pm4t
changed the title
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
sl1pm4t
force-pushed
the
mm/unmanaged-lb-sg-rule
branch
from
58c52aa to
f77078a
Compare
|
/test ? |
|
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test pull-cluster-api-provider-aws-e2e |
|
/retest |
|
/test pull-cluster-api-provider-aws-e2e |
|
/retest |
AndiDog
changed the title
Yes I have tested the change, and we are using regularly in our fork. I have not attempted to run the e2e test suite locally though, as I'm not familiar with them and not sure how to run against our own infrastructure. |
|
@sl1pm4t: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@AndiDog I will add, the tests seem to fail on something different each time, so I'm not sure it's related to my change. |
Update pkg/cloud/services/network/natgateways.go Co-authored-by: Andreas Sommer <[email protected]>
sl1pm4t
force-pushed
the
mm/unmanaged-lb-sg-rule
branch
from
7e91d1b to
ff07d10
Compare
|
/retest |
|
This is a great change! Thank you. I needed this, too. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This fixes an issue that caused the provider to add a security group rule allowing all addresses (
0.0.0.0/0) access to the workload cluster API Server, if a cluster was created on an unmanaged VPC. The rule would be added even if the user had provided a list of source address inspec.controlPlaneLoadBalancer.ingressRules.The rule was being added so the kubelets could reach the API, but
0.0.0.0/0was a fall back source if the NAT Gateway IPs were not (yet) known. Prior to this PR, In the case of unmanaged VPC, the NAT Gateways IPs were never retrieved sogetIngressRulesToAllowKubeletToAccessTheControlPlaneLB()in securitygroups.go would always fall back to using0.0.0.0/0.Which issue(s) this PR fixes :
Fixes #5196
Special notes for your reviewer:
Checklist:
Release note: