securitygroup: allow setting allowed IPv6 CIDR for node NodePort services

For IPv4, we have field NodePortIngressRuleCidrBlocks that specifies the
allowed source IPv4 CIDR for node NodePort services on port 30000-32767.

This extends that field to also accept IPv6 source CIDRs.

Author: tthvo

api/v1beta2/network_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/aws/aws-sdk-go/aws"
+	"k8s.io/utils/net"
 	"k8s.io/utils/ptr"
 )
 
@@ -367,7 +368,32 @@ type NetworkSpec struct {
 	// NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services.
 	// If none are specified here, all IPs are allowed to connect.
 	// +optional
-	NodePortIngressRuleCidrBlocks []string `json:"nodePortIngressRuleCidrBlocks,omitempty"`
+	NodePortIngressRuleCidrBlocks CidrBlocks `json:"nodePortIngressRuleCidrBlocks,omitempty"`
+}
+
+// CidrBlocks defines a set of CIDR blocks.
+type CidrBlocks []string
+
+// IPv4CidrBlocks returns only IPv4 CIDR blocks.
+func (c CidrBlocks) IPv4CidrBlocks() CidrBlocks {
+	var cidrs CidrBlocks
+	for _, cidr := range c {
+		if net.IsIPv4CIDRString(cidr) {
+			cidrs = append(cidrs, cidr)
+		}
+	}
+	return cidrs
+}
+
+// IPv6CidrBlocks returns only IPv6 CIDR blocks.
+func (c CidrBlocks) IPv6CidrBlocks() CidrBlocks {
+	var cidrs CidrBlocks
+	for _, cidr := range c {
+		if net.IsIPv6CIDRString(cidr) {
+			cidrs = append(cidrs, cidr)
+		}
+	}
+	return cidrs
 }
 
 // IPv6 contains ipv6 specific settings for the network.

api/v1beta2/zz_generated.deepcopy.go

@@ -450,6 +450,6 @@ func (s *ClusterScope) UnstructuredControlPlane() (*unstructured.Unstructured, e
 }
 
 // NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-func (s *ClusterScope) NodePortIngressRuleCidrBlocks() []string {
+func (s *ClusterScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {
 	return s.AWSCluster.Spec.NetworkSpec.DeepCopy().NodePortIngressRuleCidrBlocks
 }

pkg/cloud/scope/cluster.go

@@ -510,7 +510,7 @@ func (s *ManagedControlPlaneScope) UnstructuredControlPlane() (*unstructured.Uns
 }
 
 // NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() []string {
+func (s *ManagedControlPlaneScope) NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks {
 	return nil
 }
 

pkg/cloud/scope/managedcontrolplane.go

@@ -64,5 +64,5 @@ type SGScope interface {
 	ControlPlaneLoadBalancers() []*infrav1.AWSLoadBalancerSpec
 
 	// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
-	NodePortIngressRuleCidrBlocks() []string
+	NodePortIngressRuleCidrBlocks() infrav1.CidrBlocks
 }

pkg/cloud/scope/sg.go

@@ -647,17 +647,27 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 		return append(cniRules, rules...), nil
 
 	case infrav1.SecurityGroupNode:
-		cidrBlocks := []string{services.AnyIPv4CidrBlock}
-		if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks(); len(scopeCidrBlocks) > 0 {
-			cidrBlocks = scopeCidrBlocks
+		ipv4CidrBlocks := []string{services.AnyIPv4CidrBlock}
+		if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks().IPv4CidrBlocks(); len(scopeCidrBlocks) > 0 {
+			ipv4CidrBlocks = scopeCidrBlocks
 		}
+
+		var ipv6CidrBlocks []string
+		if s.scope.VPC().IsIPv6Enabled() {
+			ipv6CidrBlocks = []string{services.AnyIPv6CidrBlock}
+			if scopeCidrBlocks := s.scope.NodePortIngressRuleCidrBlocks().IPv6CidrBlocks(); len(scopeCidrBlocks) > 0 {
+				ipv6CidrBlocks = scopeCidrBlocks
+			}
+		}
+
 		rules := infrav1.IngressRules{
 			{
-				Description: "Node Port Services",
-				Protocol:    infrav1.SecurityGroupProtocolTCP,
-				FromPort:    30000,
-				ToPort:      32767,
-				CidrBlocks:  cidrBlocks,
+				Description:    "Node Port Services",
+				Protocol:       infrav1.SecurityGroupProtocolTCP,
+				FromPort:       30000,
+				ToPort:         32767,
+				CidrBlocks:     ipv4CidrBlocks,
+				IPv6CidrBlocks: ipv6CidrBlocks,
 			},
 			{
 				Description: "Kubelet API",
@@ -671,18 +681,10 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 				},
 			},
 		}
+
 		if s.scope.Bastion().Enabled {
 			rules = append(rules, s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID))
 		}
-		if s.scope.VPC().IsIPv6Enabled() {
-			rules = append(rules, infrav1.IngressRule{
-				Description:    "Node Port Services IPv6",
-				Protocol:       infrav1.SecurityGroupProtocolTCP,
-				FromPort:       30000,
-				ToPort:         32767,
-				IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
-			})
-		}
 
 		additionalIngressRules, err := s.processIngressRulesSGs(s.scope.AdditionalNodeIngressRules())
 		if err != nil {

pkg/cloud/services/securitygroup/securitygroups.go

@@ -2332,12 +2332,16 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 
 	testCases := []struct {
 		name                string
-		cidrBlocks          []string
+		networkSpec         infrav1.NetworkSpec
 		expectedIngresRules infrav1.IngressRules
 	}{
 		{
-			name:       "default node ports services ingress rules, no node port cidr block provided",
-			cidrBlocks: nil,
+			name: "default node ports services ingress rules, no node port cidr block provided",
+			networkSpec: infrav1.NetworkSpec{
+				VPC: infrav1.VPCSpec{
+					CidrBlock: "10.0.0.0/16",
+				},
+			},
 			expectedIngresRules: infrav1.IngressRules{
 				{
 					Description: "Node Port Services",
@@ -2356,8 +2360,39 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 			},
 		},
 		{
-			name:       "node port cidr block provided, no default cidr block used for node port services ingress rule",
-			cidrBlocks: []string{"10.0.0.0/16"},
+			name: "default node ports services ingress rules for IPv6, no node port cidr block provided",
+			networkSpec: infrav1.NetworkSpec{
+				VPC: infrav1.VPCSpec{
+					CidrBlock: "10.0.0.0/16",
+					IPv6:      &infrav1.IPv6{},
+				},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{services.AnyIPv4CidrBlock},
+					IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
+		{
+			name: "node port cidr block provided, no default cidr block used for node port services ingress rule",
+			networkSpec: infrav1.NetworkSpec{
+				VPC: infrav1.VPCSpec{
+					CidrBlock: "10.0.0.0/16",
+				},
+				NodePortIngressRuleCidrBlocks: []string{"10.0.0.0/16"},
+			},
 			expectedIngresRules: infrav1.IngressRules{
 				{
 					Description: "Node Port Services",
@@ -2375,6 +2410,64 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "node port cidr block provided for only IPv6, no default cidr block used for node port services ingress rule",
+			networkSpec: infrav1.NetworkSpec{
+				VPC: infrav1.VPCSpec{
+					CidrBlock: "10.0.0.0/16",
+					IPv6: &infrav1.IPv6{
+						CidrBlock: "2001:1234:5678:9a40::/56",
+					},
+				},
+				NodePortIngressRuleCidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{services.AnyIPv4CidrBlock},
+					IPv6CidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
+		{
+			name: "node port cidr block provided for both IPv4 and IPv6, no default cidr block used for node port services ingress rule",
+			networkSpec: infrav1.NetworkSpec{
+				VPC: infrav1.VPCSpec{
+					CidrBlock: "10.0.0.0/16",
+					IPv6: &infrav1.IPv6{
+						CidrBlock: "2001:1234:5678:9a40::/56",
+					},
+				},
+				NodePortIngressRuleCidrBlocks: []string{"10.0.0.0/16", "2001:1234:5678:9a40::/56"},
+			},
+			expectedIngresRules: infrav1.IngressRules{
+				{
+					Description:    "Node Port Services",
+					Protocol:       infrav1.SecurityGroupProtocolTCP,
+					FromPort:       30000,
+					ToPort:         32767,
+					CidrBlocks:     []string{"10.0.0.0/16"},
+					IPv6CidrBlocks: []string{"2001:1234:5678:9a40::/56"},
+				},
+				{
+					Description:            "Kubelet API",
+					Protocol:               infrav1.SecurityGroupProtocolTCP,
+					FromPort:               10250,
+					ToPort:                 10250,
+					SourceSecurityGroupIDs: []string{"Id1", "Id2"},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -2387,12 +2480,7 @@ func TestNodePortServicesIngressRules(t *testing.T) {
 				AWSCluster: &infrav1.AWSCluster{
 					Spec: infrav1.AWSClusterSpec{
 						ControlPlaneLoadBalancer: &infrav1.AWSLoadBalancerSpec{},
-						NetworkSpec: infrav1.NetworkSpec{
-							VPC: infrav1.VPCSpec{
-								CidrBlock: "10.0.0.0/16",
-							},
-							NodePortIngressRuleCidrBlocks: tc.cidrBlocks,
-						},
+						NetworkSpec:              tc.networkSpec,
 					},
 					Status: infrav1.AWSClusterStatus{
 						Network: infrav1.NetworkStatus{