kinvolk · surajssd · Apr 2, 2020 · Apr 1, 2020 · Apr 2, 2020 · Apr 1, 2020
diff --git a/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/security.tf b/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/security.tf
@@ -335,3 +335,15 @@ resource "aws_security_group_rule" "worker-egress" {
   cidr_blocks      = ["0.0.0.0/0"]
   ipv6_cidr_blocks = ["::/0"]
 }
+
+resource "aws_security_group_rule" "worker-nodeport" {
+  count = var.expose_nodeports ? 1 : 0
+
+  security_group_id = aws_security_group.worker.id
+
+  type      = "ingress"
+  protocol  = "tcp"
+  from_port = 30000
+  to_port   = 32767
+  self      = true
+}
diff --git a/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf b/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf
@@ -15,6 +15,12 @@ variable "dns_zone_id" {
   description = "AWS Route53 DNS Zone ID (e.g. Z3PAABBCFAKEC0)"
 }
 
+variable "expose_nodeports" {
+  type        = bool
+  default     = false
+  description = "Expose node ports 30000-32767 in the security group"
+}
+
 # instances
 
 variable "controller_count" {

diff --git a/docs/configuration-reference/platforms/aws.md b/docs/configuration-reference/platforms/aws.md
@@ -85,6 +85,8 @@ cluster "aws" {
 
   dns_zone_id = route53_zone_id
 
+  expose_nodeports = false
+
   ssh_pubkeys = var.ssh_public_keys
 
   certs_validity_period_hours = 8760
@@ -178,6 +180,7 @@ worker_pool "my-worker-pool" {
 | `os_version`                  | Flatcar Container Linux version to install. Version such as "2303.3.1" or "current".                                                                                                       | "current"       | false    |
 | `dns_zone`                    | Route 53 DNS Zone.                                                                                                                                                                         | -               | true     |
 | `dns_zone_id`                 | Route 53 DNS Zone ID.                                                                                                                                                                      | -               | true     |
+| `expose_nodeports`            | Expose node ports `30000-32767` in the security group, if set to `true`.                                                                                                                   | false           | false    |
 | `ssh_pubkeys`                 | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...".               | -               | true     |
 | `controller_count`            | Number of controller nodes.                                                                                                                                                                | 1               | false    |
 | `controller_type`             | AWS instance type for controllers.                                                                                                                                                         | "t3.small"      | false    |

diff --git a/docs/run-conformance-tests.md b/docs/run-conformance-tests.md
@@ -0,0 +1,15 @@
+# Conformance tests
+
+This document enumerates the steps required to run conformance tests for various platforms supported by Lokomotive.
+
+**Note**: There is only one caveat to consider when running tests for AWS. For other platforms you can run conformance tests without making special arrangements.
+
+## AWS
+
+For AWS you need to make sure that node ports are allowed in the security group. To do so make sure you set the `expose_nodeports` cluster property to `true` in the AWS config. Read more about this flag in the [AWS reference docs](configuration-reference/platforms/aws.md).
+
+To install the cluster on AWS follow the [AWS quick start guide](quickstarts/aws.md).
+
+## Running conformance tests
+
+Follow the canonical document [here](https://github.com/cncf/k8s-conformance/blob/master/instructions.md) which instructs on installing sonobuoy and running tests.
diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go
diff --git a/pkg/platform/aws/aws.go b/pkg/platform/aws/aws.go
@@ -56,6 +56,7 @@ type config struct {
 	OSVersion                string            `hcl:"os_version,optional"`
 	DNSZone                  string            `hcl:"dns_zone"`
 	DNSZoneID                string            `hcl:"dns_zone_id"`
+	ExposeNodePorts          bool              `hcl:"expose_nodeports,optional"`
 	SSHPubKeys               []string          `hcl:"ssh_pubkeys"`
 	CredsPath                string            `hcl:"creds_path,optional"`
 	ControllerCount          int               `hcl:"controller_count,optional"`

diff --git a/pkg/platform/aws/template.go b/pkg/platform/aws/template.go
@@ -34,6 +34,10 @@ module "aws-{{.Config.ClusterName}}" {
   cluster_domain_suffix = "{{.Config.ClusterDomainSuffix}}"
   {{- end }}
 
+  {{- if .Config.ExposeNodePorts }}
+  expose_nodeports = {{.Config.ExposeNodePorts}}
+  {{- end }}
+
   ssh_keys  = {{$.SSHPublicKeys}}
   asset_dir = "../cluster-assets"