Merge pull request openshift#8462 from patrickdillon/OCPBUGS-34389-ssh-private

openshift-merge-bot[bot] · web-flow · commit c8febae25f62 · 2024-05-24T16:38:55.000Z
OCPBUGS-34389: aws/cluster: restrict SSH on private clusters
diff --git a/pkg/asset/manifests/aws/cluster.go b/pkg/asset/manifests/aws/cluster.go
@@ -14,7 +14,6 @@ import (
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/asset/machines/aws"
 	"github.com/openshift/installer/pkg/asset/manifests/capiutils"
-	"github.com/openshift/installer/pkg/types"
 )
 
 // BootstrapSSHDescription is the description for the
@@ -31,6 +30,11 @@ func GenerateClusterAssets(ic *installconfig.InstallConfig, clusterID *installco
 		return nil, fmt.Errorf("failed to get user tags: %w", err)
 	}
 
+	sshRuleCidr := []string{"0.0.0.0/0"}
+	if !ic.Config.PublicAPI() {
+		sshRuleCidr = []string{capiutils.CIDRFromInstallConfig(ic).String()}
+	}
+
 	awsCluster := &capa.AWSCluster{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      clusterID.InfraID,
@@ -142,7 +146,7 @@ func GenerateClusterAssets(ic *installconfig.InstallConfig, clusterID *installco
 						Protocol:    capa.SecurityGroupProtocolTCP,
 						FromPort:    22,
 						ToPort:      22,
-						CidrBlocks:  []string{"0.0.0.0/0"},
+						CidrBlocks:  sshRuleCidr,
 					},
 				},
 			},
@@ -193,7 +197,7 @@ func GenerateClusterAssets(ic *installconfig.InstallConfig, clusterID *installco
 	}
 	awsCluster.SetGroupVersionKind(capa.GroupVersion.WithKind("AWSCluster"))
 
-	if ic.Config.Publish == types.ExternalPublishingStrategy {
+	if ic.Config.PublicAPI() {
 		awsCluster.Spec.SecondaryControlPlaneLoadBalancer = &capa.AWSLoadBalancerSpec{
 			Name:                   ptr.To(clusterID.InfraID + "-ext"),
 			LoadBalancerType:       capa.LoadBalancerTypeNLB,
diff --git a/pkg/types/installconfig.go b/pkg/types/installconfig.go
@@ -591,3 +591,16 @@ func ClusterAPIFeatureGateEnabled(platform string, fgs featuregates.FeatureGate)
 		return false
 	}
 }
+
+// PublicAPI indicates whether the API load balancer should be public
+// by inspecting the cluster and operator publishing strategies.
+func (c *InstallConfig) PublicAPI() bool {
+	if c.Publish == ExternalPublishingStrategy {
+		return true
+	}
+
+	if op := c.OperatorPublishingStrategy; op != nil && strings.EqualFold(op.APIServer, "External") {
+		return true
+	}
+	return false
+}
