-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 fix(securitygroups): Look up unmanaged NAT Gateway IPs, so provider doesn't add 0.0.0.0/0 SG rule #5198
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @sl1pm4t. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/ok-to-test |
/retest |
58c52aa
to
f77078a
Compare
/test ? |
@richardcase: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test pull-cluster-api-provider-aws-e2e |
/retest |
/test pull-cluster-api-provider-aws-e2e |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change looks mostly fine. Did you manually test this? I'm wondering why tests are failing.
Yes I have tested the change, and we are using regularly in our fork. I have not attempted to run the e2e test suite locally though, as I'm not familiar with them and not sure how to run against our own infrastructure. |
@AndiDog I will add, the tests seem to fail on something different each time, so I'm not sure it's related to my change. |
Update pkg/cloud/services/network/natgateways.go Co-authored-by: Andreas Sommer <[email protected]>
7e91d1b
to
ff07d10
Compare
/retest |
This is a great change! Thank you. I needed this, too. |
/test pull-cluster-api-provider-aws-e2e |
@sl1pm4t: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This fixes an issue that caused the provider to add a security group rule allowing all addresses (
0.0.0.0/0
) access to the workload cluster API Server, if a cluster was created on an unmanaged VPC. The rule would be added even if the user had provided a list of source address inspec.controlPlaneLoadBalancer.ingressRules
.The rule was being added so the kubelets could reach the API, but
0.0.0.0/0
was a fall back source if the NAT Gateway IPs were not (yet) known. Prior to this PR, In the case of unmanaged VPC, the NAT Gateways IPs were never retrieved sogetIngressRulesToAllowKubeletToAccessTheControlPlaneLB()
in securitygroups.go would always fall back to using0.0.0.0/0
.Which issue(s) this PR fixes :
Fixes #5196
Special notes for your reviewer:
Checklist:
Release note: