-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow securing api LB, only allowing traffic from required sources #4406
Allow securing api LB, only allowing traffic from required sources #4406
Conversation
Hi @fiunchinho. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
7534ac7
to
8d26907
Compare
ee13001
to
8c1e871
Compare
/ok-to-test |
ab297ac
to
21ad9eb
Compare
/retest |
21ad9eb
to
cf9d6d8
Compare
/retest |
cf9d6d8
to
52bd9ed
Compare
/retest |
/retest |
/test pull-cluster-api-provider-aws-e2e-eks |
425942f
to
546fffc
Compare
/retest |
/test pull-cluster-api-provider-aws-e2e-eks |
Uh, why did the APIDiff thing start to fail? |
I don't know :/ The job output is not very helpful. |
@fiunchinho What was your latest commit? It's squashed so I don't know. :) It didn't fail before. |
I'd say it's this. But what is the job complaining about? what's the change in the api? |
Ah, try running |
Nothing changes. |
Usually that api-diff says that there is a backwards incompatible change between two API versions. I suggest reverting that commit, or try looking in the other packages for that same commit and change it also there. |
Looking at the output of the job, I don't think there is a backwards incompatible change
I think it should be ok to merge. |
These are the incompatible changes:
|
But that's not the API, isn't it?. Isn't the job supposed to look for incompatible changes in the facing API, like changes inm |
No. You modified the interface by adding two new functions. Which means that this change is now backwards incompatible since people requiring that interface will have a broken code. I'm not sure how we usually deal with changes like these. @richardcase @Ankitasw ? |
Generally we don't add API changes to the existing API version, we wait for the API version bump, as these APIs are exposed and people who are already using CAPA latest version, their clusters would break if they are using these exposed APIs. I would suggest we wait for v1beta3 API for this change, but I would also defer to @richardcase |
There are 2 types of API changes going on here, the k8s CRD change and changes to exported Go packages. The new With the other changes to the scopes that apidiff is complaining about. Historically, even though we have apidiff we haven't guaranteed not breaking the Go API for people that have imported the packages directly (we should probably revisit this decision and also the use of /override pull-cluster-api-provider-aws-apidiff-main |
@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-aws-apidiff-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Sounds good. Thanks, Richard! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Skarlso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-2.2 |
@Ankitasw: new pull request created: #4496 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
On this PR #4304 we introduced the possibility of passing custom ingress rules that would be applied to the api Load Balancer security group, so that users could specify more granular rules (for example, allowing traffic only from company VPNs) instead of allowing traffic from everywhere.
But the api Load Balancer needs to always allow traffic coming from the kubelet, or the cluster won't work.
On this PR, I'm changing the logic so that the custom ingress rules are appended to a set of basic rules that will always be added to make sure the kubelet can talk to the api Load Balancer. This set of basic rules will be different depending on whether the Load Balancer is a
internet-facing
orinternal
one.internet-facing
LB, we allow the public IPs of the Nat Gateways.internal
LB, we allow the workload cluster VPC CIDR.Special notes for your reviewer:
Checklist:
Release note: