Skip to content

Security group rule "Node Port Services" can be more restrictive #3314

New issue
New issue
Closed
#5147
Closed
Security group rule "Node Port Services" can be more restrictive#3314
#5147
Assignees
sedefsavas
Labels
area/securityIssues or PRs related to securitykind/bugCategorizes issue or PR as related to a bug.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.
@vincepri

Description

@vincepri
vincepri
opened on Mar 16, 2022

When creating a new AWSCluster, part of the infrastructure is creating Security Groups for machines to use.

Currently, the Node Port Services security group allows access from any IP. Should we consider making this bit configurable to a set of pre-defined CIDR blocks, or allow the VPC CIDR's by default?

cluster-api-provider-aws/pkg/cloud/services/securitygroup/securitygroups.go

Lines 525 to 531 in 0eee277

{
Description: "Node Port Services",
Protocol: infrav1.SecurityGroupProtocolTCP,
FromPort: 30000,
ToPort: 32767,
CidrBlocks: []string{services.AnyIPv4CidrBlock},
},

/area security
/kind bug
/assign @sedefsavas

Metadata

Metadata

Assignees

Labels

area/securityIssues or PRs related to securitykind/bugCategorizes issue or PR as related to a bug.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions