securitygroup: allow setting allowed IPv6 CIDR for node NodePort services

tthvo · tthvo · commit 390d216b14d2 · 2025-08-05T11:04:58.000-07:00
For IPv4, we have field NodePortIngressRuleCidrBlocks that specifies the
allowed source IPv4 CIDR for node NodePort services on port 30000-32767.

This extends that field to also accept IPv6 source CIDRs.
diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/aws/aws-sdk-go/aws"
+	"k8s.io/utils/net"
 	"k8s.io/utils/ptr"
 )
 
@@ -367,7 +368,32 @@ type NetworkSpec struct {
 	// NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services.
 	// If none are specified here, all IPs are allowed to connect.
 	// +optional
-	NodePortIngressRuleCidrBlocks []string `json:"nodePortIngressRuleCidrBlocks,omitempty"`
+	NodePortIngressRuleCidrBlocks CidrBlocks `json:"nodePortIngressRuleCidrBlocks,omitempty"`
+}
+
+// CidrBlocks defines a set of CIDR blocks.
+type CidrBlocks []string
+
+// IPv4CidrBlocks returns only IPv4 CIDR blocks.
+func (c CidrBlocks) IPv4CidrBlocks() CidrBlocks {
+	var cidrs CidrBlocks
+	for _, cidr := range c {
+		if net.IsIPv4CIDRString(cidr) {
+			cidrs = append(cidrs, cidr)
+		}
+	}
+	return cidrs
+}
+
+// IPv6CidrBlocks returns only IPv6 CIDR blocks.
+func (c CidrBlocks) IPv6CidrBlocks() CidrBlocks {
+	var cidrs CidrBlocks
+	for _, cidr := range c {
+		if net.IsIPv6CIDRString(cidr) {
+			cidrs = append(cidrs, cidr)
+		}
+	}
+	return cidrs
 }
 
 // IPv6 contains ipv6 specific settings for the network.
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/pkg/cloud/scope/cluster.go b/pkg/cloud/scope/cluster.go
@@ -450,6 +450,6 @@ func (s *ClusterScope) UnstructuredControlPlane() (*unstructured.Unstructured, e
 }
 
 // NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-func (s *ClusterScope) NodePortIngressRuleCidrBlocks() []string {
+func (s *ClusterScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {
 	return s.AWSCluster.Spec.NetworkSpec.DeepCopy().NodePortIngressRuleCidrBlocks
 }
diff --git a/pkg/cloud/scope/managedcontrolplane.go b/pkg/cloud/scope/managedcontrolplane.go
@@ -510,7 +510,7 @@ func (s *ManagedControlPlaneScope) UnstructuredControlPlane() (*unstructured.Uns
 }
 
 // NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() []string {
+func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {
 	return nil
 }
 
diff --git a/pkg/cloud/scope/sg.go b/pkg/cloud/scope/sg.go
@@ -64,5 +64,5 @@ type SGScope interface {
 	ControlPlaneLoadBalancers() []*infrav1.AWSLoadBalancerSpec
 
 	// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-	NodePortIngressRuleCidrBlocks() []string
+	NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks
 }
diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -647,17 +647,27 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 		return append(cniRules, rules...), nil
 
 	case infrav1.SecurityGroupNode:
-		cidrBlocks := []string{services.AnyIPv4CidrBlock}
-		if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks(); len(scopeCidrBlocks) > 0 {
-			cidrBlocks = scopeCidrBlocks
+		ipv4CidrBlocks := []string{services.AnyIPv4CidrBlock}
+		if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks().IPv4CidrBlocks(); len(scopeCidrBlocks) > 0 {
+			ipv4CidrBlocks = scopeCidrBlocks
 		}
+
+		var ipv6CidrBlocks []string
+		if s.scope.VPC().IsIPv6Enabled() {
+			ipv6CidrBlocks = []string{services.AnyIPv6CidrBlock}
+			if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks().IPv6CidrBlocks(); len(scopeCidrBlocks) > 0 {
+				ipv6CidrBlocks = scopeCidrBlocks
+			}
+		}
+
 		rules := infrav1.IngressRules{
 			{
-				Description: "Node Port Services",
-				Protocol:    infrav1.SecurityGroupProtocolTCP,
-				FromPort:    30000,
-				ToPort:      32767,
-				CidrBlocks:  cidrBlocks,
+				Description:    "Node Port Services",
+				Protocol:       infrav1.SecurityGroupProtocolTCP,
+				FromPort:       30000,
+				ToPort:         32767,
+				CidrBlocks:     ipv4CidrBlocks,
+				IPv6CidrBlocks: ipv6CidrBlocks,
 			},
 			{
 				Description: "Kubelet API",
@@ -671,18 +681,10 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 				},
 			},
 		}
+
 		if s.scope.Bastion().Enabled {
 			rules = append(rules, s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID))
 		}
-		if s.scope.VPC().IsIPv6Enabled() {
-			rules = append(rules, infrav1.IngressRule{
-				Description:    "Node Port Services IPv6",
-				Protocol:       infrav1.SecurityGroupProtocolTCP,
-				FromPort:       30000,
-				ToPort:         32767,
-				IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
-			})
-		}
 
 		additionalIngressRules, err := s.processIngressRulesSGs(s.scope.AdditionalNodeIngressRules())
 		if err != nil {
diff --git a/pkg/cloud/services/securitygroup/securitygroups_test.go b/pkg/cloud/services/securitygroup/securitygroups_test.go
@@ -2332,12 +2332,29 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 
 	testCases := []struct {
 		name                string
-		cidrBlocks          []string
+		awsCluster          *infrav1.AWSCluster
 		expectedIngresRules infrav1.IngressRules
 	}{
 		{
-			name:       "default node ports services ingress rules, no node port cidr block provided",
-			cidrBlocks: nil,
+			name: "default node ports services ingress rules, no node port cidr block provided",
+			awsCluster: &infrav1.AWSCluster{
+				Spec: infrav1.AWSClusterSpec{
+					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
+					NetworkSpec: infrav1.NetworkSpec{
+						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+						},
+					},
+				},
+				Status: infrav1.AWSClusterStatus{
+					Network: infrav1.NetworkStatus{
+						SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
+							infrav1.SecurityGroupControlPlane: {ID: "Id1"},
+							infrav1.SecurityGroupNode:         {ID: "Id2"},
+						},
+					},
+				},
+			},
 			expectedIngresRules: infrav1.IngressRules{
 				{
 					Description: "Node Port Services",
@@ -2356,8 +2373,65 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 			},
 		},
 		{
-			name:       "node port cidr block provided, no default cidr block used for node port services ingress rule",
-			cidrBlocks: []string{"10.0.0.0/16"},
+			name: "default node ports services ingress rules for IPv6, no node port cidr block provided",
+			awsCluster: &infrav1.AWSCluster{
+				Spec: infrav1.AWSClusterSpec{
+					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
+					NetworkSpec: infrav1.NetworkSpec{
+						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+							IPv6:      &infrav1.IPv6{},
+						},
+					},
+				},
+				Status: infrav1.AWSClusterStatus{
+					Network: infrav1.NetworkStatus{
+						SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
+							infrav1.SecurityGroupControlPlane: {ID: "Id1"},
+							infrav1.SecurityGroupNode:         {ID: "Id2"},
+						},
+					},
+				},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{services.AnyIPv4CidrBlock},
+					IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
+		{
+			name: "node port cidr block provided, no default cidr block used for node port services ingress rule",
+			awsCluster: &infrav1.AWSCluster{
+				Spec: infrav1.AWSClusterSpec{
+					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
+					NetworkSpec: infrav1.NetworkSpec{
+						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+						},
+						NodePortIngressRuleCidrBlocks: []string{"10.0.0.0/16"},
+					},
+				},
+				Status: infrav1.AWSClusterStatus{
+					Network: infrav1.NetworkStatus{
+						SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
+							infrav1.SecurityGroupControlPlane: {ID: "Id1"},
+							infrav1.SecurityGroupNode:         {ID: "Id2"},
+						},
+					},
+				},
+			},
 			expectedIngresRules: infrav1.IngressRules{
 				{
 					Description: "Node Port Services",
@@ -2375,6 +2449,90 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "node port cidr block provided for only IPv6, no default cidr block used for node port services ingress rule",
+			awsCluster: &infrav1.AWSCluster{
+				Spec: infrav1.AWSClusterSpec{
+					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
+					NetworkSpec: infrav1.NetworkSpec{
+						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+							IPv6: &infrav1.IPv6{
+								CidrBlock: "2001:1234:5678:9a40::/56",
+							},
+						},
+						NodePortIngressRuleCidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+					},
+				},
+				Status: infrav1.AWSClusterStatus{
+					Network: infrav1.NetworkStatus{
+						SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
+							infrav1.SecurityGroupControlPlane: {ID: "Id1"},
+							infrav1.SecurityGroupNode:         {ID: "Id2"},
+						},
+					},
+				},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{services.AnyIPv4CidrBlock},
+					IPv6CidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
+		{
+			name: "node port cidr block provided for both IPv4 and IPv6, no default cidr block used for node port services ingress rule",
+			awsCluster: &infrav1.AWSCluster{
+				Spec: infrav1.AWSClusterSpec{
+					ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
+					NetworkSpec: infrav1.NetworkSpec{
+						VPC: infrav1.VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+							IPv6: &infrav1.IPv6{
+								CidrBlock: "2001:1234:5678:9a40::/56",
+							},
+						},
+						NodePortIngressRuleCidrBlocks: []string{"10.0.0.0/16", "2001:1234:5678:9a40::/56"},
+					},
+				},
+				Status: infrav1.AWSClusterStatus{
+					Network: infrav1.NetworkStatus{
+						SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
+							infrav1.SecurityGroupControlPlane: {ID: "Id1"},
+							infrav1.SecurityGroupNode:         {ID: "Id2"},
+						},
+					},
+				},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{"10.0.0.0/16"},
+					IPv6CidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -2384,25 +2542,7 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 				Cluster: &clusterv1.Cluster{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-cluster"},
 				},
-				AWSCluster: &infrav1.AWSCluster{
-					Spec: infrav1.AWSClusterSpec{
-						ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
-						NetworkSpec: infrav1.NetworkSpec{
-							VPC: infrav1.VPCSpec{
-								CidrBlock: "10.0.0.0/16",
-							},
-							NodePortIngressRuleCidrBlocks: tc.cidrBlocks,
-						},
-					},
-					Status: infrav1.AWSClusterStatus{
-						Network: infrav1.NetworkStatus{
-							SecurityGroups: map[infrav1.SecurityGroupRole]infrav1.SecurityGroup{
-								infrav1.SecurityGroupControlPlane: {ID: "Id1"},
-								infrav1.SecurityGroupNode:         {ID: "Id2"},
-							},
-						},
-					},
-				},
+				AWSCluster: tc.awsCluster,
 			})
 			if err != nil {
 				t.Fatalf("Failed to create test context: %v", err)

Original file line number	Diff line number	Diff line change
`@@ -450,6 +450,6 @@ func (s ClusterScope) UnstructuredControlPlane() (unstructured.Unstructured, e`
`450`	`450`	`}`
`451`	`451`
`452`	`452`	`// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.`
`453`		`-func (s *ClusterScope) NodePortIngressRuleCidrBlocks() []string {`
	`453`	`+func (s *ClusterScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {`
`454`	`454`	`return s.AWSCluster.Spec.NetworkSpec.DeepCopy().NodePortIngressRuleCidrBlocks`
`455`	`455`	`}`
Original file line number	Diff line number	Diff line change
`@@ -510,7 +510,7 @@ func (s ManagedControlPlaneScope) UnstructuredControlPlane() (unstructured.Uns`
`510`	`510`	`}`
`511`	`511`
`512`	`512`	`// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.`
`513`		`-func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() []string {`
	`513`	`+func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {`
`514`	`514`	`return nil`
`515`	`515`	`}`
`516`	`516`
Original file line number	Diff line number	Diff line change
`@@ -64,5 +64,5 @@ type SGScope interface {`
`64`	`64`	`ControlPlaneLoadBalancers() []*infrav1.AWSLoadBalancerSpec`
`65`	`65`
`66`	`66`	`// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.`
`67`		`- NodePortIngressRuleCidrBlocks() []string`
	`67`	`+ NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks`
`68`	`68`	`}`