✨ Allow more permissive extensibility for securityRules and additional CP LoadBalancers

api/v1beta1/types.go

@@ -111,9 +111,23 @@
 	// +optional
 	ControlPlaneOutboundLB *LoadBalancerSpec `json:"controlPlaneOutboundLB,omitempty"`
 
+	// AdditionalAPIServerLBPorts specifies extra inbound ports for the APIServer load balancer.
+	// Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
+	// +optional
+	AdditionalAPIServerLBPorts []LoadBalancerPort `json:"additionalAPIServerLBPorts,omitempty"`
+
 	NetworkClassSpec `json:",inline"`
 }
 
+// LoadBalancerPort specifies additional port for the API server load balancer.
+type LoadBalancerPort struct {
+	// Name for the additional port within LB definition
+	Name string `json:"name"`
+
+	// Port for the LB definition
+	Port int32 `json:"port"`
+}
+
 // VnetSpec configures an Azure virtual network.
 type VnetSpec struct {
 	// ResourceGroup is the name of the resource group of the existing virtual network
@@ -893,6 +907,17 @@
 	return false
 }
 
+// GetSecurityRuleByDestination returns security group rule, which matches provided destination ports.
+func (s SubnetSpec) GetSecurityRuleByDestination(port string) *SecurityRule {
+	for _, rule := range s.SecurityGroup.SecurityRules {
+		if rule.DestinationPorts != nil && *rule.DestinationPorts == port {
+			return &rule
+		}
+	}
+
+	return nil
+}
+
 // SecurityProfile specifies the Security profile settings for a
 // virtual machine or virtual machine scale set.
 type SecurityProfile struct {

api/v1beta1/types_template.go

@@ -75,6 +75,11 @@ type NetworkTemplateSpec struct {
 	// This is different from APIServerLB, and is used only in private clusters (optionally) for enabling outbound traffic.
 	// +optional
 	ControlPlaneOutboundLB *LoadBalancerClassSpec `json:"controlPlaneOutboundLB,omitempty"`
+
+	// AdditionalAPIServerLBPorts is the configuration for the additional inbound control-plane load balancer ports
+	// Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
+	// +optional
+	AdditionalAPIServerLBPorts []LoadBalancerPort `json:"additionalAPIServerLBPorts,omitempty"`
 }
 
 // GetSubnetTemplate returns the subnet template based on the subnet role.

azure/scope/cluster.go

@@ -266,6 +266,7 @@ func (s *ClusterScope) LBSpecs() []azure.ResourceSpecGetter {
 			BackendPoolName:      s.APIServerLB().BackendPool.Name,
 			IdleTimeoutInMinutes: s.APIServerLB().IdleTimeoutInMinutes,
 			AdditionalTags:       s.AdditionalTags(),
+			AdditionalPorts:      s.AdditionalAPIServerLBPorts(),
 		}
 
 		if s.APIServerLB().FrontendIPs != nil {
@@ -299,6 +300,7 @@ func (s *ClusterScope) LBSpecs() []azure.ResourceSpecGetter {
 			BackendPoolName:      s.APIServerLB().BackendPool.Name + "-internal",
 			IdleTimeoutInMinutes: s.APIServerLB().IdleTimeoutInMinutes,
 			AdditionalTags:       s.AdditionalTags(),
+			AdditionalPorts:      s.AdditionalAPIServerLBPorts(),
 		}
 
 		privateIPFound := false
@@ -771,6 +773,11 @@ func (s *ClusterScope) ControlPlaneOutboundLB() *infrav1.LoadBalancerSpec {
 	return s.AzureCluster.Spec.NetworkSpec.ControlPlaneOutboundLB
 }
 
+// AdditionalAPIServerLBPorts returns the additional API server ports list.
+func (s *ClusterScope) AdditionalAPIServerLBPorts() []infrav1.LoadBalancerPort {
+	return s.AzureCluster.Spec.NetworkSpec.AdditionalAPIServerLBPorts
+}
+
 // APIServerLBName returns the API Server LB name.
 func (s *ClusterScope) APIServerLBName() string {
 	apiServerLB := s.APIServerLB()
@@ -1020,9 +1027,12 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 	if !s.ControlPlaneEnabled() {
 		return
 	}
-	if s.ControlPlaneSubnet().SecurityGroup.SecurityRules == nil {
-		subnet := s.ControlPlaneSubnet()
-		subnet.SecurityGroup.SecurityRules = infrav1.SecurityRules{
+
+	subnet := s.ControlPlaneSubnet()
+
+	missingSSH := subnet.GetSecurityRuleByDestination("22") == nil
+	if missingSSH {
+		subnet.SecurityGroup.SecurityRules = append(subnet.SecurityGroup.SecurityRules,
 			infrav1.SecurityRule{
 				Name:             "allow_ssh",
 				Description:      "Allow SSH",
@@ -1034,20 +1044,28 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 				Destination:      ptr.To("*"),
 				DestinationPorts: ptr.To("22"),
 				Action:           infrav1.SecurityRuleActionAllow,
-			},
-			infrav1.SecurityRule{
-				Name:             "allow_apiserver",
-				Description:      "Allow K8s API Server",
-				Priority:         2201,
-				Protocol:         infrav1.SecurityGroupProtocolTCP,
-				Direction:        infrav1.SecurityRuleDirectionInbound,
-				Source:           ptr.To("*"),
-				SourcePorts:      ptr.To("*"),
-				Destination:      ptr.To("*"),
-				DestinationPorts: ptr.To(strconv.Itoa(int(s.APIServerPort()))),
-				Action:           infrav1.SecurityRuleActionAllow,
-			},
-		}
+			})
+	}
+
+	port := strconv.Itoa(int(s.APIServerPort()))
+
+	missingAPIPort := subnet.GetSecurityRuleByDestination(port) == nil
+	if missingAPIPort {
+		subnet.SecurityGroup.SecurityRules = append(subnet.SecurityGroup.SecurityRules, infrav1.SecurityRule{
+			Name:             "allow_apiserver",
+			Description:      "Allow K8s API Server",
+			Priority:         2201,
+			Protocol:         infrav1.SecurityGroupProtocolTCP,
+			Direction:        infrav1.SecurityRuleDirectionInbound,
+			Source:           ptr.To("*"),
+			SourcePorts:      ptr.To("*"),
+			Destination:      ptr.To("*"),
+			DestinationPorts: ptr.To(port),
+			Action:           infrav1.SecurityRuleActionAllow,
+		})
+	}
+
+	if missingSSH || missingAPIPort {
 		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
 	}
 }

azure/scope/cluster_test.go

@@ -242,50 +242,165 @@ func TestAPIServerHost(t *testing.T) {
 }
 
 func TestGettingSecurityRules(t *testing.T) {
-	g := NewWithT(t)
-
-	cluster := &clusterv1.Cluster{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "my-cluster",
-			Namespace: "default",
+	tests := []struct {
+		name              string
+		cluster           *clusterv1.Cluster
+		azureCluster      *infrav1.AzureCluster
+		expectedRuleCount int
+	}{
+		{
+			name: "default control plane subnet with no rules should have 2 security rules defaulted",
+			cluster: &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-cluster",
+					Namespace: "default",
+				},
+			},
+			azureCluster: &infrav1.AzureCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-azure-cluster",
+				},
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						SubscriptionID: "123",
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+					ControlPlaneEnabled: true,
+					NetworkSpec: infrav1.NetworkSpec{
+						Subnets: infrav1.Subnets{
+							{
+								SubnetClassSpec: infrav1.SubnetClassSpec{
+									Role: infrav1.SubnetNode,
+									Name: "node",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRuleCount: 2,
 		},
-	}
-
-	azureCluster := &infrav1.AzureCluster{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "my-azure-cluster",
+		{
+			name: "additional rules are preserved",
+			cluster: &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-cluster",
+					Namespace: "default",
+				},
+			},
+			azureCluster: &infrav1.AzureCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-azure-cluster",
+				},
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						SubscriptionID: "123",
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+					ControlPlaneEnabled: true,
+					NetworkSpec: infrav1.NetworkSpec{
+						Subnets: infrav1.Subnets{
+							{
+								SecurityGroup: infrav1.SecurityGroup{
+									SecurityGroupClass: infrav1.SecurityGroupClass{
+										SecurityRules: []infrav1.SecurityRule{{
+											Name:             "allow_9345",
+											Description:      "Allow port 9345",
+											Priority:         2200,
+											Protocol:         infrav1.SecurityGroupProtocolTCP,
+											Direction:        infrav1.SecurityRuleDirectionInbound,
+											Source:           ptr.To("*"),
+											SourcePorts:      ptr.To("*"),
+											Destination:      ptr.To("*"),
+											DestinationPorts: ptr.To("9345"),
+											Action:           infrav1.SecurityRuleActionAllow,
+										}},
+									},
+								},
+								SubnetClassSpec: infrav1.SubnetClassSpec{
+									Role: infrav1.SubnetControlPlane,
+									Name: string(infrav1.SubnetControlPlane),
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRuleCount: 3,
 		},
-		Spec: infrav1.AzureClusterSpec{
-			AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
-				SubscriptionID: "123",
-				IdentityRef: &corev1.ObjectReference{
-					Kind: infrav1.AzureClusterIdentityKind,
+		{
+			name: "override rules are accepted",
+			cluster: &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-cluster",
+					Namespace: "default",
 				},
 			},
-			ControlPlaneEnabled: true,
-			NetworkSpec: infrav1.NetworkSpec{
-				Subnets: infrav1.Subnets{
-					{
-						SubnetClassSpec: infrav1.SubnetClassSpec{
-							Role: infrav1.SubnetNode,
-							Name: "node",
+			azureCluster: &infrav1.AzureCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-azure-cluster",
+				},
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						SubscriptionID: "123",
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+					ControlPlaneEnabled: true,
+					NetworkSpec: infrav1.NetworkSpec{
+						Subnets: infrav1.Subnets{
+							{
+								SecurityGroup: infrav1.SecurityGroup{
+									SecurityGroupClass: infrav1.SecurityGroupClass{
+										SecurityRules: []infrav1.SecurityRule{{
+											Name:             "deny_ssh",
+											Description:      "Deny SSH",
+											Priority:         2200,
+											Protocol:         infrav1.SecurityGroupProtocolTCP,
+											Direction:        infrav1.SecurityRuleDirectionInbound,
+											Source:           ptr.To("*"),
+											SourcePorts:      ptr.To("*"),
+											Destination:      ptr.To("*"),
+											DestinationPorts: ptr.To("22"),
+											Action:           infrav1.SecurityRuleActionDeny,
+										}},
+									},
+								},
+								SubnetClassSpec: infrav1.SubnetClassSpec{
+									Role: infrav1.SubnetControlPlane,
+									Name: string(infrav1.SubnetControlPlane),
+								},
+							},
 						},
 					},
 				},
 			},
+			expectedRuleCount: 2,
 		},
 	}
-	azureCluster.Default()
 
-	clusterScope := &ClusterScope{
-		Cluster:      cluster,
-		AzureCluster: azureCluster,
-	}
-	clusterScope.SetControlPlaneSecurityRules()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
 
-	subnet, err := clusterScope.AzureCluster.Spec.NetworkSpec.GetControlPlaneSubnet()
-	g.Expect(err).NotTo(HaveOccurred())
-	g.Expect(subnet.SecurityGroup.SecurityRules).To(HaveLen(2))
+			tt.azureCluster.Default()
+
+			clusterScope := &ClusterScope{
+				Cluster:      tt.cluster,
+				AzureCluster: tt.azureCluster,
+			}
+			clusterScope.SetControlPlaneSecurityRules()
+
+			subnet, err := clusterScope.AzureCluster.Spec.NetworkSpec.GetControlPlaneSubnet()
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(subnet.SecurityGroup.SecurityRules).To(HaveLen(tt.expectedRuleCount))
+		})
+	}
 }
 
 func TestPublicIPSpecs(t *testing.T) {