securitygroup: allow configuring IPv6 source CIDRs for bastion SSH

tthvo · tthvo · commit fdc8bf85fea4 · 2025-08-05T11:10:59.000-07:00
We need an option to configure IPv6 source CIDRs for SSH ingress rule of
the bastion host.

This extends the field allowedCIDRBlocks to also accepts IPv6 CIDR blocks.
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awscluster_types.go b/api/v1beta2/awscluster_types.go
@@ -152,8 +152,9 @@ type Bastion struct {
 
 	// AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
 	// They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
+	// If the cluster has IPv6 enabled, defaults to ::/0 and 0.0.0.0/0.
 	// +optional
-	AllowedCIDRBlocks []string `json:"allowedCIDRBlocks,omitempty"`
+	AllowedCIDRBlocks CidrBlocks `json:"allowedCIDRBlocks,omitempty"`
 
 	// InstanceType will use the specified instance type for the bastion. If not specified,
 	// Cluster API Provider AWS will use t3.micro for all regions except us-east-1, where t2.micro
diff --git a/api/v1beta2/awscluster_webhook_test.go b/api/v1beta2/awscluster_webhook_test.go
@@ -1353,6 +1353,7 @@ func TestAWSClusterValidateAllowedCIDRBlocks(t *testing.T) {
 						AllowedCIDRBlocks: []string{
 							"192.168.0.0/16",
 							"192.168.0.1/32",
+							"2001:1234:5678:9a40::/56",
 						},
 					},
 				},
@@ -1379,6 +1380,7 @@ func TestAWSClusterValidateAllowedCIDRBlocks(t *testing.T) {
 						AllowedCIDRBlocks: []string{
 							"192.168.0.0/16",
 							"192.168.0.1/32",
+							"2001:1234:5678:9a40::/56",
 						},
 						DisableIngressRules: true,
 					},
@@ -1393,6 +1395,7 @@ func TestAWSClusterValidateAllowedCIDRBlocks(t *testing.T) {
 					Bastion: Bastion{
 						AllowedCIDRBlocks: []string{
 							"100.200.300.400/99",
+							"2001:1234:5678:9a40::/129",
 						},
 					},
 				},
@@ -1445,6 +1448,7 @@ func TestAWSClusterDefaultAllowedCIDRBlocks(t *testing.T) {
 					Bastion: Bastion{
 						AllowedCIDRBlocks: []string{
 							"0.0.0.0/0",
+							"::/0",
 						},
 					},
 				},
@@ -1455,7 +1459,7 @@ func TestAWSClusterDefaultAllowedCIDRBlocks(t *testing.T) {
 			beforeCluster: &AWSCluster{
 				Spec: AWSClusterSpec{
 					Bastion: Bastion{
-						AllowedCIDRBlocks:   []string{"0.0.0.0/0"},
+						AllowedCIDRBlocks:   []string{"0.0.0.0/0", "::/0"},
 						DisableIngressRules: true,
 						Enabled:             true,
 					},
diff --git a/api/v1beta2/defaults.go b/api/v1beta2/defaults.go
@@ -26,7 +26,7 @@ import (
 func SetDefaults_Bastion(obj *Bastion) { //nolint:golint,stylecheck
 	// Default to allow open access to the bastion host if no CIDR Blocks have been set
 	if len(obj.AllowedCIDRBlocks) == 0 && !obj.DisableIngressRules {
-		obj.AllowedCIDRBlocks = []string{"0.0.0.0/0"}
+		obj.AllowedCIDRBlocks = []string{"0.0.0.0/0", "::/0"}
 	}
 }
 
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -121,6 +121,7 @@ spec:
                     description: |-
                       AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
                       They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
+                      If the cluster has IPv6 enabled, defaults to ::/0 and 0.0.0.0/0.
                     items:
                       type: string
                     type: array
@@ -2271,6 +2272,7 @@ spec:
                     description: |-
                       AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
                       They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
+                      If the cluster has IPv6 enabled, defaults to ::/0 and 0.0.0.0/0.
                     items:
                       type: string
                     type: array
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -946,6 +946,7 @@ spec:
                     description: |-
                       AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
                       They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
+                      If the cluster has IPv6 enabled, defaults to ::/0 and 0.0.0.0/0.
                     items:
                       type: string
                     type: array
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -524,6 +524,7 @@ spec:
                             description: |-
                               AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
                               They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
+                              If the cluster has IPv6 enabled, defaults to ::/0 and 0.0.0.0/0.
                             items:
                               type: string
                             type: array
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook_test.go
@@ -39,7 +39,7 @@ var (
 
 func TestDefaultingWebhook(t *testing.T) {
 	defaultTestBastion := infrav1.Bastion{
-		AllowedCIDRBlocks: []string{"0.0.0.0/0"},
+		AllowedCIDRBlocks: []string{"0.0.0.0/0", "::/0"},
 	}
 	AZUsageLimit := 3
 	defaultVPCSpec := infrav1.VPCSpec{
@@ -147,14 +147,14 @@ func TestDefaultingWebhook(t *testing.T) {
 			expectHash:   false,
 			spec: AWSManagedControlPlaneSpec{
 				Bastion: infrav1.Bastion{
-					AllowedCIDRBlocks: []string{"100.100.100.100/0"},
+					AllowedCIDRBlocks: []string{"100.100.100.100/0", "2001:1234:5678:9a40::/56"},
 				},
 			},
 			expectSpec: AWSManagedControlPlaneSpec{
 				EKSClusterName: "default_cluster1",
 				IdentityRef:    defaultIdentityRef,
 				Bastion: infrav1.Bastion{
-					AllowedCIDRBlocks: []string{"100.100.100.100/0"},
+					AllowedCIDRBlocks: []string{"100.100.100.100/0", "2001:1234:5678:9a40::/56"},
 				},
 				NetworkSpec:                defaultNetworkSpec,
 				TokenMethod:                &EKSTokenMethodIAMAuthenticator,
diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -596,13 +596,19 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 	}
 	switch role {
 	case infrav1.SecurityGroupBastion:
+		ipv4CidrBlocks := s.scope.Bastion().AllowedCIDRBlocks.IPv4CidrBlocks()
+		var ipv6CidrBlocks []string
+		if s.scope.VPC().IsIPv6Enabled() {
+			ipv6CidrBlocks = s.scope.Bastion().AllowedCIDRBlocks.IPv6CidrBlocks()
+		}
 		return infrav1.IngressRules{
 			{
-				Description: "SSH",
-				Protocol:    infrav1.SecurityGroupProtocolTCP,
-				FromPort:    22,
-				ToPort:      22,
-				CidrBlocks:  s.scope.Bastion().AllowedCIDRBlocks,
+				Description:    "SSH",
+				Protocol:       infrav1.SecurityGroupProtocolTCP,
+				FromPort:       22,
+				ToPort:         22,
+				CidrBlocks:     ipv4CidrBlocks,
+				IPv6CidrBlocks: ipv6CidrBlocks,
 			},
 		}, nil
 	case infrav1.SecurityGroupControlPlane:

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ import (`
`26`	`26`	`func SetDefaults_Bastion(obj *Bastion) { //nolint:golint,stylecheck`
`27`	`27`	`// Default to allow open access to the bastion host if no CIDR Blocks have been set`
`28`	`28`	`if len(obj.AllowedCIDRBlocks) == 0 && !obj.DisableIngressRules {`
`29`		`- obj.AllowedCIDRBlocks = []string{"0.0.0.0/0"}`
	`29`	`+ obj.AllowedCIDRBlocks = []string{"0.0.0.0/0", "::/0"}`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`