Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Allow more permissive extensibility for securityRules #5525

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Allow more permissive extensibility for securityRules #5525

wants to merge 1 commit into from

Conversation

Danil-Grigorev
Copy link
Member

@Danil-Grigorev Danil-Grigorev commented Mar 28, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This change improves UX while using CAPZ with RKE2 provider, by allowing to specify only additional security rules on the AzureCluster resource, and making existing security rule defaults for APIServer and SSH port more permissive and based on destination port selection.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #5511

Special notes for your reviewer:

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests
  • cherry-pick candidate

Release note:

Improved `securityRules` selection for the `RKE2` provider. Defaulting now checks for ports `6443` and `22` in the existing list and appends them if missing, allowing users to specify only additional rules instead of the full set, when an additional rule is needed.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 28, 2025
@k8s-ci-robot k8s-ci-robot requested review from Jont828 and nojnhuh March 28, 2025 14:27
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 28, 2025
@codecov Codecov
Copy link

codecov bot commented Mar 28, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 76.31579% with 9 lines in your changes missing coverage. Please review.

Project coverage is 52.61%. Comparing base (1c6a5d3) to head (fbe11d7).

Files with missing lines Patch % Lines
api/v1beta1/types.go 0.00% 9 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5525   +/-   ##
=======================================
  Coverage   52.61%   52.61%           
=======================================
  Files         272      272           
  Lines       29485    29507   +22     
=======================================
+ Hits        15513    15526   +13     
- Misses      13165    13174    +9     
  Partials      807      807

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 28, 2025
@Danil-Grigorev Danil-Grigorev force-pushed the extend-security-rules branch from bec7326 to fbe11d7 Compare March 28, 2025 14:37
@Danil-Grigorev Danil-Grigorev mentioned this pull request Mar 28, 2025
Open
jackfrancis
jackfrancis reviewed Mar 28, 2025
View reviewed changes
api/v1beta1/types.go
@@ -893,6 +893,20 @@ func (s SubnetSpec) IsIPv6Enabled() bool {
return false
}

// GetSecurityRuleByDestination returns security group rule, which matches provided destination ports.
func (s SubnetSpec) GetSecurityRuleByDestination(ports string) *SecurityRule {
if s.SecurityGroup.SecurityRules == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrapping the below for loop in if s.SecurityGroup.SecurityRules != nil { is equivalent and allows us to remove the add'l return nil response (we don't need a specific nil return for this condition because the default return before exiting the function is nil)

jackfrancis
jackfrancis reviewed Mar 28, 2025
View reviewed changes
azure/scope/cluster.go
@@ -1020,9 +1020,18 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
if !s.ControlPlaneEnabled() {
return
}
if s.ControlPlaneSubnet().SecurityGroup.SecurityRules == nil {

subnet := s.ControlPlaneSubnet()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in this flow where are we adding any user-provided security rules? (for example if a user specifies TCP 9345)

or is that elsewhere and the purpose of this change is to filter out 22 and apiserver port if it's not included?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackfrancis jackfrancis jackfrancis left review comments

@Jont828 Jont828 Awaiting requested review from Jont828

@nojnhuh nojnhuh Awaiting requested review from nojnhuh

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
CAPZ Planning
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement arbitrary additional ingress rules to support CAPRKE2
3 participants
@Danil-Grigorev @k8s-ci-robot @jackfrancis