wip: replacing ALL sources

Signed-off-by: Richard Case <[email protected]>

Author: richardcase

api/v1beta1/zz_generated.conversion.go

@@ -252,6 +252,12 @@ type AWSLoadBalancerSpec struct {
 	// PreserveClientIP lets the user control if preservation of client ips must be retained or not.
 	// If this is enabled 6443 will be opened to 0.0.0.0/0.
 	PreserveClientIP bool `json:"preserveClientIP,omitempty"`
+
+	// DefaultAllowedSourceCidrs is a list of allowed cidr blocks to allow as the source in the inbound rules for
+	// the api server security group. If not supplied then it defaults to 0.0.0.0/0 for an IPv4 vpc or ::/o for
+	// a IPv6 vpc. This is ignored if IngressRules are explicitly supplied.
+	// +optional
+	DefaultAllowedSourceCidrs []string `json:"defaultAllowedSourceCidrs,omitempty"`
 }
 
 // AdditionalListenerSpec defines the desired state of an

api/v1beta2/awscluster_types.go

@@ -1079,6 +1079,14 @@ spec:
 
                       Defaults to false.
                     type: boolean
+                  defaultAllowedSourceCidrs:
+                    description: |-
+                      DefaultAllowedSourceCidrs is a list of allowed cidr blocks to allow as the source in the inbound rules for
+                      the api server security group. If not supplied then it defaults to 0.0.0.0/0 for an IPv4 vpc or ::/o for
+                      a IPv6 vpc. This is ignored if IngressRules are explicitly supplied.
+                    items:
+                      type: string
+                    type: array
                   disableHostsRewrite:
                     description: |-
                       DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts
@@ -1886,6 +1894,14 @@ spec:
 
                       Defaults to false.
                     type: boolean
+                  defaultAllowedSourceCidrs:
+                    description: |-
+                      DefaultAllowedSourceCidrs is a list of allowed cidr blocks to allow as the source in the inbound rules for
+                      the api server security group. If not supplied then it defaults to 0.0.0.0/0 for an IPv4 vpc or ::/o for
+                      a IPv6 vpc. This is ignored if IngressRules are explicitly supplied.
+                    items:
+                      type: string
+                    type: array
                   disableHostsRewrite:
                     description: |-
                       DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts

api/v1beta2/zz_generated.deepcopy.go

@@ -671,6 +671,14 @@ spec:
 
                               Defaults to false.
                             type: boolean
+                          defaultAllowedSourceCidrs:
+                            description: |-
+                              DefaultAllowedSourceCidrs is a list of allowed cidr blocks to allow as the source in the inbound rules for
+                              the api server security group. If not supplied then it defaults to 0.0.0.0/0 for an IPv4 vpc or ::/o for
+                              a IPv6 vpc. This is ignored if IngressRules are explicitly supplied.
+                            items:
+                              type: string
+                            type: array
                           disableHostsRewrite:
                             description: |-
                               DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts
@@ -1487,6 +1495,14 @@ spec:
 
                               Defaults to false.
                             type: boolean
+                          defaultAllowedSourceCidrs:
+                            description: |-
+                              DefaultAllowedSourceCidrs is a list of allowed cidr blocks to allow as the source in the inbound rules for
+                              the api server security group. If not supplied then it defaults to 0.0.0.0/0 for an IPv4 vpc or ::/o for
+                              a IPv6 vpc. This is ignored if IngressRules are explicitly supplied.
+                            items:
+                              type: string
+                            type: array
                           disableHostsRewrite:
                             description: |-
                               DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml

@@ -235,6 +235,20 @@ func (s *ClusterScope) ControlPlaneEndpoint() clusterv1.APIEndpoint {
 // 	return []string{cloud.AnyIPv4CidrBlock}
 // }
 
+// DefaultAllowedAPIServerSources returns the cidr blocks to be used as the default allowed sources in the api server
+// security group inbound rule. Defaults to 0.0.0.0/0 or ::/0
+func (s *ClusterScope) DefaultAllowedAPIServerSources(ipv6 bool) []string {
+	if s.AWSCluster.Spec.ControlPlaneLoadBalancer == nil || len(s.AWSCluster.Spec.ControlPlaneLoadBalancer.DefaultAllowedSourceCidrs) == 0 {
+		if ipv6 {
+			return []string{cloud.AnyIPv6CidrBlock}
+		} else {
+			return []string{cloud.AnyIPv4CidrBlock}
+		}
+	}
+
+	return s.AWSCluster.Spec.ControlPlaneLoadBalancer.DefaultAllowedSourceCidrs
+}
+
 // Bucket returns the cluster bucket configuration.
 func (s *ClusterScope) Bucket() *infrav1.S3Bucket {
 	return s.AWSCluster.Spec.S3Bucket

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml

@@ -243,6 +243,15 @@ func (s *ManagedControlPlaneScope) SecurityGroupOverrides() map[infrav1.Security
 // 	return []string{cloud.AnyIPv4CidrBlock}
 // }
 
+// DefaultAllowedAPIServerSources returns the cidr blocks to be used as the default allowed sources in the api server
+// security group inbound rule. Defaults to 0.0.0.0/0
+func (s *ManagedControlPlaneScope) DefaultAllowedAPIServerSources(ipv6 bool) []string {
+	if ipv6 {
+		return []string{cloud.AnyIPv6CidrBlock}
+	}
+	return []string{cloud.AnyIPv4CidrBlock}
+}
+
 // Name returns the CAPI cluster name.
 func (s *ManagedControlPlaneScope) Name() string {
 	return s.Cluster.Name

pkg/cloud/scope/cluster.go

@@ -62,4 +62,8 @@ type SGScope interface {
 
 	// NodePortIngressRuleCidrBlocks returns the CIDR blocks for the node NodePort ingress rules.
 	NodePortIngressRuleCidrBlocks() []string
+
+	// DefaultAllowedAPIServerSources returns the cidr blocks to be used as the default allowed sources in the api server
+	// security group inbound rule. Defaults to 0.0.0.0/0 for IPv4 and the equivalent for IPV6.
+	DefaultAllowedAPIServerSources(ipv6 bool) []string
 }

pkg/cloud/scope/managedcontrolplane.go

@@ -977,7 +977,7 @@ func (s *Service) getIngressRuleToAllowAnyIPInTheAPIServer() infrav1.IngressRule
 				Protocol:       infrav1.SecurityGroupProtocolTCP,
 				FromPort:       int64(s.scope.APIServerPort()),
 				ToPort:         int64(s.scope.APIServerPort()),
-				IPv6CidrBlocks: []string{cloud.AnyIPv6CidrBlock},
+				IPv6CidrBlocks: s.scope.DefaultAllowedAPIServerSources(true),
 			},
 		}
 	}
@@ -988,7 +988,7 @@ func (s *Service) getIngressRuleToAllowAnyIPInTheAPIServer() infrav1.IngressRule
 			Protocol:    infrav1.SecurityGroupProtocolTCP,
 			FromPort:    int64(s.scope.APIServerPort()),
 			ToPort:      int64(s.scope.APIServerPort()),
-			CidrBlocks:  []string{cloud.AnyIPv4CidrBlock},
+			CidrBlocks:  s.scope.DefaultAllowedAPIServerSources(false),
 		},
 	}
 }