Skip to content

Commit 44e9186

Browse files
pavansokkenagarajpavansokkenagaraj
committed
fix: set PublicAccessCidrs to [] when private only EP access
1 parent 1dfb164 commit 44e9186

File tree

2 files changed

+91
-1
lines changed

2 files changed

+91
-1
lines changed

pkg/cloud/services/eks/cluster.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -353,7 +353,9 @@ func makeVpcConfig(subnets infrav1.Subnets, endpointAccess ekscontrolplanev1.End
353353
SubnetIds: subnetIDs,
354354
}
355355

356-
if len(cidrs) > 0 {
356+
isPrivateOnlyEndPoint := !aws.BoolValue(vpcConfig.EndpointPublicAccess) && aws.BoolValue(vpcConfig.EndpointPrivateAccess)
357+
358+
if len(cidrs) > 0 || isPrivateOnlyEndPoint {
357359
vpcConfig.PublicAccessCidrs = cidrs
358360
}
359361
sg, ok := securityGroups[infrav1.SecurityGroupEKSNodeAdditional]

pkg/cloud/services/eks/cluster_test.go

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,94 @@ func TestMakeVPCConfig(t *testing.T) {
264264
PublicAccessCidrs: []*string{aws.String("10.0.0.0/24")},
265265
},
266266
},
267+
{
268+
name: "private only endpoint access",
269+
input: input{
270+
subnets: []infrav1.SubnetSpec{
271+
{
272+
ID: idOne,
273+
CidrBlock: "10.0.10.0/24",
274+
AvailabilityZone: "us-west-2a",
275+
IsPublic: false,
276+
},
277+
{
278+
ID: idTwo,
279+
CidrBlock: "10.0.10.1/24",
280+
AvailabilityZone: "us-west-2b",
281+
IsPublic: false,
282+
},
283+
},
284+
endpointAccess: ekscontrolplanev1.EndpointAccess{
285+
Private: aws.Bool(true),
286+
PublicCIDRs: []*string{},
287+
},
288+
},
289+
expect: &eks.VpcConfigRequest{
290+
SubnetIds: []*string{&idOne, &idTwo},
291+
PublicAccessCidrs: []*string{},
292+
EndpointPrivateAccess: aws.Bool(true),
293+
},
294+
},
295+
{
296+
name: "public and private endpoint access",
297+
input: input{
298+
subnets: []infrav1.SubnetSpec{
299+
{
300+
ID: idOne,
301+
CidrBlock: "10.0.10.0/24",
302+
AvailabilityZone: "us-west-2a",
303+
IsPublic: false,
304+
},
305+
{
306+
ID: idTwo,
307+
CidrBlock: "10.0.10.1/24",
308+
AvailabilityZone: "us-west-2b",
309+
IsPublic: false,
310+
},
311+
},
312+
endpointAccess: ekscontrolplanev1.EndpointAccess{
313+
Private: aws.Bool(true),
314+
Public: aws.Bool(true),
315+
PublicCIDRs: []*string{},
316+
},
317+
},
318+
expect: &eks.VpcConfigRequest{
319+
SubnetIds: []*string{&idOne, &idTwo},
320+
PublicAccessCidrs: nil,
321+
EndpointPrivateAccess: aws.Bool(true),
322+
EndpointPublicAccess: aws.Bool(true),
323+
},
324+
},
325+
{
326+
name: "public only endpoint access",
327+
input: input{
328+
subnets: []infrav1.SubnetSpec{
329+
{
330+
ID: idOne,
331+
CidrBlock: "10.0.10.0/24",
332+
AvailabilityZone: "us-west-2a",
333+
IsPublic: false,
334+
},
335+
{
336+
ID: idTwo,
337+
CidrBlock: "10.0.10.1/24",
338+
AvailabilityZone: "us-west-2b",
339+
IsPublic: false,
340+
},
341+
},
342+
endpointAccess: ekscontrolplanev1.EndpointAccess{
343+
Private: aws.Bool(false),
344+
Public: aws.Bool(true),
345+
PublicCIDRs: []*string{},
346+
},
347+
},
348+
expect: &eks.VpcConfigRequest{
349+
SubnetIds: []*string{&idOne, &idTwo},
350+
PublicAccessCidrs: nil,
351+
EndpointPrivateAccess: aws.Bool(false),
352+
EndpointPublicAccess: aws.Bool(true),
353+
},
354+
},
267355
}
268356
for _, tc := range testCases {
269357
t.Run(tc.name, func(t *testing.T) {

0 commit comments

Comments
 (0)