✨ Add EKS Control Plane private subnet restriction flag #5058
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
cncf-cla: yes
|
Hi @jas-nik. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cc @richardcase |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| func (r *AWSManagedControlPlane) validateFilterPrivateSubnets() field.ErrorList { | ||
| var allErrs field.ErrorList | ||
|
|
||
| if r.Spec.FilterPrivateSubnets { |
There was a problem hiding this comment.
I don't think we should do this check here. The subnet details are populated during reconciliation (if you don't explicitly set them) and so there will be no private subnets. We could do this check as part of the reconciliation instead,
There was a problem hiding this comment.
could you link me to the reconcile logic? Are you referring to the cluster.go reconcileVpcConfig?
There was a problem hiding this comment.
jas-nik
changed the title
jas-nik
changed the title
|
/milestone v2.6.0 |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
|
@richardcase TestFuzzyConversion seems to be failing without updating conversion.go:241:
&v1beta2.AWSManagedControlPlane{
TypeMeta: {},
ObjectMeta: {Name: "WČ皚蓊żC躟Xƻz甹義ɐ_", GenerateName: `\f7芃ɍm尰±ğ愅q鱁炭Ô荌Ŗ洀`, Namespace: "媮wJŜø,ì¸郌ʮYHȈ!", SelfLink: "Ƙ挊苹沚{BɜO6WN嘖嫿跽Rm", ...},
Spec: v1beta2.AWSManagedControlPlaneSpec{
... // 23 identical fields
OIDCIdentityProviderConfig: &{ClientID: "掠糼8+3ȱ镯鱁B+Ǜ", GroupsClaim: &"先Ʌ禓鑠ĢȮǍ鑈僨y闉", IdentityProviderConfigName: "蠝?硻Ğƴs]嶨/礓G<鳮歜žFkêA", IssuerURL: "ÿö顕Ųɻ¶誸ȿc羄窜蜫<ǦǣŝȤ", ...},
VpcCni: {Env: {}},
- RestrictPrivateSubnets: true,
+ RestrictPrivateSubnets: false,
KubeProxy: {},
},
Status: {Network: {APIServerELB: {ARN: `瀧"÷岥_Cɩ`, Name: "铱5髄", DNSName: "ɴ贬ǔc%!M(MISSING) 墏薩FȪ钮后ɚ算âs", Scheme: s"DŽY", ...}, SecondaryAPIServerELB: {ARN: "ĈȸR%!胩(MISSING)@ńnZH9腣M顷", Name: "c", DNSName: "賄", Scheme: s"ɞ釛FŴ嚾dz|筻ŰD^", ...}}, Bastion: &{ID: "薞梮怐ń6ĠņƂ8[ɧƪ;楡", State: "釴lƪX-l½@ɞȊȴTf罏c", Type: "p甞ONj鷂ƣ蔟iH疖漫åO-欮d焾祄", SubnetID: `褦龁ȌƆŤy颤ġɑ,\QƸǞtčʡȇ`, ...}, OIDCProvider: {ARN: "7稔湩@n筲沤0#ƶ潴鸟ƷQ", TrustPolicy: `a垯dzqƍƼÁ蹏ʦ鯚ĩ\ŭ猔]Õ侵Ɍ`}, Addons: {{Name: "俥ʘ&nIã4", Version: "靽,HO鰒廥;铢鮌磴娟釫*", ARN: "D5醦躴_ā秚胕Ȳ", ServiceAccountRoleArn: &"ǎ", ...}}, ...},
}
Expected
<bool>: false
to be true
--- FAIL: TestFuzzyConversion (3.92s)
--- FAIL: TestFuzzyConversion/for_AWSManagedControlPlane (3.91s)
--- PASS: TestFuzzyConversion/for_AWSManagedControlPlane/spoke-hub-spoke (3.91s)
--- FAIL: TestFuzzyConversion/for_AWSManagedControlPlane/hub-spoke-hub (0.00s)
FAIL
FAIL sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta1 4.073s |
k8s-ci-robot
added
the
do-not-merge/hold
|
/remove-hold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
I see you got it sorted. The Fuzzy tests are a pain when you first enouncter them. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
Add flag to enable private subnet filter for EKS Control Plane network configuration
What this PR does / why we need it:
In a scenario where Bastion host needs to be provisioned, a public subnet is required to be specified in Control Plane spec. Specifying the public subnet in the Control Plane Network spec will attach it to the EKS Control Plane. For security reasons, users might not prefer to attach public subnets to EKS control plane. This flag will provide the ability to restrict only the private subnets attachment to EKS control plane even if public subnets are specified in the EKS Control Plane Network configuration.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note:
cc: @richardcase