Skip to content

Commit

Permalink
Support CIDR Blocks for NodePortRules (#853)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jayesh-srivastava
jayesh-srivastava authored Sep 26, 2023
1 parent c4d2e7f commit 2814f51
Show file tree
Hide file tree
Showing 16 changed files with 141 additions and 1 deletion.
3 changes: 3 additions & 0 deletions api/v1alpha3/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,9 @@ type NetworkSpec struct {
// This is optional - if not provided new security groups will be created for the cluster
// +optional
SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`

// NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances
NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"`
}

// VPCSpec configures an AWS VPC.
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha3/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions api/v1alpha3/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions api/v1alpha4/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,9 @@ type NetworkSpec struct {
// This is optional - if not provided new security groups will be created for the cluster
// +optional
SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`

// NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances
NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"`
}

// VPCSpec configures an AWS VPC.
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha4/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions api/v1alpha4/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions api/v1beta1/network_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ type NetworkSpec struct {
// This is optional - if not provided new security groups will be created for the cluster
// +optional
SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`

// NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances
NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"`
}

// VPCSpec configures an AWS VPC.
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -1386,6 +1392,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -2626,6 +2638,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down
18 changes: 18 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -988,6 +994,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -1840,6 +1852,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down
12 changes: 12 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -658,6 +664,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down
5 changes: 5 additions & 0 deletions pkg/cloud/scope/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,3 +402,8 @@ func (s *ClusterScope) ImageLookupOrg() string {
func (s *ClusterScope) ImageLookupBaseOS() string {
return s.AWSCluster.Spec.ImageLookupBaseOS
}

// NetworkSpec returns cluster network spec.
func (s *ClusterScope) NetworkSpec() *infrav1.NetworkSpec {
return &s.AWSCluster.Spec.NetworkSpec
}
4 changes: 4 additions & 0 deletions pkg/cloud/scope/managedcontrolplane.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,3 +429,7 @@ func (s *ManagedControlPlaneScope) ServiceCidrs() *clusterv1.NetworkRanges {

return nil
}

func (s *ManagedControlPlaneScope) NetworkSpec() *infrav1.NetworkSpec {
return &s.ControlPlane.Spec.NetworkSpec
}
3 changes: 3 additions & 0 deletions pkg/cloud/scope/sg.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,7 @@ type SGScope interface {

// GetNatGatewaysIPs gets the Nat Gateways Public IPs.
GetNatGatewaysIPs() []string

// NetworkSpec returns cluster network spec.
NetworkSpec() *infrav1.NetworkSpec
}
6 changes: 5 additions & 1 deletion pkg/cloud/services/securitygroup/securitygroups.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,10 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
}
}
cidrBlocks := []string{services.AnyIPv4CidrBlock}
// If nodePortCIDRBlocks are available use them instead of 0.0.0.0/0
if len(s.scope.NetworkSpec().NodePortCIDRBlocks) != 0 {
cidrBlocks = s.scope.NetworkSpec().NodePortCIDRBlocks
}
switch role {
case infrav1.SecurityGroupBastion:
return infrav1.IngressRules{
Expand Down Expand Up @@ -551,7 +555,7 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
case infrav1.SecurityGroupNode:
rules := infrav1.IngressRules{
{
Description: "Node Port Services",
Description: "Node Port CIDR Blocks",
Protocol: infrav1.SecurityGroupProtocolTCP,
FromPort: 30000,
ToPort: 32767,
Expand Down
48 changes: 48 additions & 0 deletions spectro/generated/core-global.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1053,6 +1053,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -1808,6 +1814,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -2660,6 +2672,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -3866,6 +3884,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -4299,6 +4323,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -9398,6 +9428,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -10414,6 +10450,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down Expand Up @@ -11654,6 +11696,12 @@ spec:
type: object
type: array
type: object
nodePortCIDRBlocks:
description: NodePortCIDRBlocks is a set of allowedCIDRBlocks
to use for cluster instances
items:
type: string
type: array
securityGroupOverrides:
additionalProperties:
type: string
Expand Down

0 comments on commit 2814f51

Please sign in to comment.