Skip to content

Commit

Permalink
Add port range restriction for SG (kubernetes-sigs#2236)
Browse files Browse the repository at this point in the history
* add port range restriction

* add CIDRs tests and add flag check on model_build_target_group

* simplify computeRestrictedIngressPermissionsPerSG
  • Loading branch information
oliviassss authored Sep 21, 2021
1 parent 862890a commit 92445ac
Show file tree
Hide file tree
Showing 9 changed files with 669 additions and 85 deletions.
2 changes: 1 addition & 1 deletion controllers/ingress/group_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
annotationParser, subnetsResolver,
authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager,
cloud.VpcID(), config.ClusterName, config.DefaultTags, config.ExternalManagedTags,
config.DefaultSSLPolicy, backendSGProvider, config.EnableBackendSecurityGroup, logger)
config.DefaultSSLPolicy, backendSGProvider, config.EnableBackendSecurityGroup, config.DisableRestrictedSGRules, logger)
stackMarshaller := deploy.NewDefaultStackMarshaller()
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
config, ingressTagPrefix, logger)
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ func main() {
subnetResolver := networking.NewDefaultSubnetsResolver(azInfoProvider, cloud.EC2(), cloud.VpcID(), controllerCFG.ClusterName, ctrl.Log.WithName("subnets-resolver"))
vpcResolver := networking.NewDefaultVPCResolver(cloud.EC2(), cloud.VpcID(), ctrl.Log.WithName("vpc-resolver"))
tgbResManager := targetgroupbinding.NewDefaultResourceManager(mgr.GetClient(), cloud.ELBV2(), cloud.EC2(),
podInfoRepo, sgManager, sgReconciler, cloud.VpcID(), controllerCFG.ClusterName, mgr.GetEventRecorderFor("targetGroupBinding"), ctrl.Log, controllerCFG.EnableEndpointSlices)
podInfoRepo, sgManager, sgReconciler, cloud.VpcID(), controllerCFG.ClusterName, mgr.GetEventRecorderFor("targetGroupBinding"), ctrl.Log, controllerCFG.EnableEndpointSlices, controllerCFG.DisableRestrictedSGRules)
backendSGProvider := networking.NewBackendSGProvider(controllerCFG.ClusterName, controllerCFG.BackendSecurityGroup,
cloud.VpcID(), cloud.EC2(), mgr.GetClient(), ctrl.Log.WithName("backend-sg-provider"))
ingGroupReconciler := ingress.NewGroupReconciler(cloud, mgr.GetClient(), mgr.GetEventRecorderFor("ingress"),
Expand Down
8 changes: 8 additions & 0 deletions pkg/config/controller_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,14 @@ const (
flagEnableBackendSG = "enable-backend-security-group"
flagBackendSecurityGroup = "backend-security-group"
flagEnableEndpointSlices = "enable-endpoint-slices"
flagDisableRestrictedSGRules = "disable-restricted-sg-rules"
defaultLogLevel = "info"
defaultMaxConcurrentReconciles = 3
defaultMaxExponentialBackoffDelay = time.Second * 1000
defaultSSLPolicy = "ELBSecurityPolicy-2016-08"
defaultEnableBackendSG = true
defaultEnableEndpointSlices = false
defaultDisableRestrictedSGRules = false
)

var (
Expand Down Expand Up @@ -84,6 +86,9 @@ type ControllerConfig struct {
// BackendSecurityGroups specifies the configured backend security group to use
// for optimized security group rules
BackendSecurityGroup string

// DisableRestrictedSGRules specifies whether to use restricted security group rules
DisableRestrictedSGRules bool
}

// BindFlags binds the command line flags to the fields in the config object
Expand All @@ -109,6 +114,9 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
"Backend security group id to use for the ingress rules on the worker node SG")
fs.BoolVar(&cfg.EnableEndpointSlices, flagEnableEndpointSlices, defaultEnableEndpointSlices,
"Enable EndpointSlices for IP targets instead of Endpoints")
fs.BoolVar(&cfg.DisableRestrictedSGRules, flagDisableRestrictedSGRules, defaultDisableRestrictedSGRules,
"Disable the usage of restricted security group rules")

cfg.AWSConfig.BindFlags(fs)
cfg.RuntimeConfig.BindFlags(fs)

Expand Down
58 changes: 44 additions & 14 deletions pkg/ingress/model_build_target_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tg

func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString, nodeSelector *metav1.LabelSelector) elbv2model.TargetGroupBindingResourceSpec {
targetType := elbv2api.TargetType(tg.Spec.TargetType)
tgbNetworking := t.buildTargetGroupBindingNetworking(ctx)
tgbNetworking := t.buildTargetGroupBindingNetworking(ctx, tg.Spec.Port, *tg.Spec.HealthCheckConfig.Port)
return elbv2model.TargetGroupBindingResourceSpec{
Template: elbv2model.TargetGroupBindingTemplate{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -74,29 +74,59 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
}
}

func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context) *elbv2model.TargetGroupBindingNetworking {
func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, targetGroupPort int64, healthCheckPort intstr.IntOrString) *elbv2model.TargetGroupBindingNetworking {
if t.backendSGIDToken == nil {
return nil
}
protocolTCP := elbv2api.NetworkingProtocolTCP
return &elbv2model.TargetGroupBindingNetworking{
Ingress: []elbv2model.NetworkingIngressRule{
{
From: []elbv2model.NetworkingPeer{
{
SecurityGroup: &elbv2model.SecurityGroup{
GroupID: t.backendSGIDToken,
if t.disableRestrictedSGRules {
return &elbv2model.TargetGroupBindingNetworking{
Ingress: []elbv2model.NetworkingIngressRule{
{
From: []elbv2model.NetworkingPeer{
{
SecurityGroup: &elbv2model.SecurityGroup{
GroupID: t.backendSGIDToken,
},
},
},
Ports: []elbv2api.NetworkingPort{
{
Protocol: &protocolTCP,
Port: nil,
},
},
},
Ports: []elbv2api.NetworkingPort{
{
Protocol: &protocolTCP,
Port: nil,
},
}
}
var networkingPorts []elbv2api.NetworkingPort
var networkingRules []elbv2model.NetworkingIngressRule
tgPort := intstr.FromInt(int(targetGroupPort))
networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
Protocol: &protocolTCP,
Port: &tgPort,
})
if healthCheckPort.String() != healthCheckPortTrafficPort {
networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
Protocol: &protocolTCP,
Port: &healthCheckPort,
})
}
for _, port := range networkingPorts {
networkingRules = append(networkingRules, elbv2model.NetworkingIngressRule{
From: []elbv2model.NetworkingPeer{
{
SecurityGroup: &elbv2model.SecurityGroup{
GroupID: t.backendSGIDToken,
},
},
},
},
Ports: []elbv2api.NetworkingPort{port},
})
}
return &elbv2model.TargetGroupBindingNetworking{
Ingress: networkingRules,
}
}

Expand Down
112 changes: 58 additions & 54 deletions pkg/ingress/model_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,29 +40,30 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
authConfigBuilder AuthConfigBuilder, enhancedBackendBuilder EnhancedBackendBuilder,
trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager,
vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string,
backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, logger logr.Logger) *defaultModelBuilder {
backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, disableRestrictedSGRules bool, logger logr.Logger) *defaultModelBuilder {
certDiscovery := NewACMCertDiscovery(acmClient, logger)
ruleOptimizer := NewDefaultRuleOptimizer(logger)
return &defaultModelBuilder{
k8sClient: k8sClient,
eventRecorder: eventRecorder,
ec2Client: ec2Client,
vpcID: vpcID,
clusterName: clusterName,
annotationParser: annotationParser,
subnetsResolver: subnetsResolver,
backendSGProvider: backendSGProvider,
certDiscovery: certDiscovery,
authConfigBuilder: authConfigBuilder,
enhancedBackendBuilder: enhancedBackendBuilder,
ruleOptimizer: ruleOptimizer,
trackingProvider: trackingProvider,
elbv2TaggingManager: elbv2TaggingManager,
defaultTags: defaultTags,
externalManagedTags: sets.NewString(externalManagedTags...),
defaultSSLPolicy: defaultSSLPolicy,
enableBackendSG: enableBackendSG,
logger: logger,
k8sClient: k8sClient,
eventRecorder: eventRecorder,
ec2Client: ec2Client,
vpcID: vpcID,
clusterName: clusterName,
annotationParser: annotationParser,
subnetsResolver: subnetsResolver,
backendSGProvider: backendSGProvider,
certDiscovery: certDiscovery,
authConfigBuilder: authConfigBuilder,
enhancedBackendBuilder: enhancedBackendBuilder,
ruleOptimizer: ruleOptimizer,
trackingProvider: trackingProvider,
elbv2TaggingManager: elbv2TaggingManager,
defaultTags: defaultTags,
externalManagedTags: sets.NewString(externalManagedTags...),
defaultSSLPolicy: defaultSSLPolicy,
enableBackendSG: enableBackendSG,
disableRestrictedSGRules: disableRestrictedSGRules,
logger: logger,
}
}

Expand All @@ -77,19 +78,20 @@ type defaultModelBuilder struct {
vpcID string
clusterName string

annotationParser annotations.Parser
subnetsResolver networkingpkg.SubnetsResolver
backendSGProvider networkingpkg.BackendSGProvider
certDiscovery CertDiscovery
authConfigBuilder AuthConfigBuilder
enhancedBackendBuilder EnhancedBackendBuilder
ruleOptimizer RuleOptimizer
trackingProvider tracking.Provider
elbv2TaggingManager elbv2deploy.TaggingManager
defaultTags map[string]string
externalManagedTags sets.String
defaultSSLPolicy string
enableBackendSG bool
annotationParser annotations.Parser
subnetsResolver networkingpkg.SubnetsResolver
backendSGProvider networkingpkg.BackendSGProvider
certDiscovery CertDiscovery
authConfigBuilder AuthConfigBuilder
enhancedBackendBuilder EnhancedBackendBuilder
ruleOptimizer RuleOptimizer
trackingProvider tracking.Provider
elbv2TaggingManager elbv2deploy.TaggingManager
defaultTags map[string]string
externalManagedTags sets.String
defaultSSLPolicy string
enableBackendSG bool
disableRestrictedSGRules bool

logger logr.Logger
}
Expand All @@ -98,22 +100,23 @@ type defaultModelBuilder struct {
func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.Stack, *elbv2model.LoadBalancer, error) {
stack := core.NewDefaultStack(core.StackID(ingGroup.ID))
task := &defaultModelBuildTask{
k8sClient: b.k8sClient,
eventRecorder: b.eventRecorder,
ec2Client: b.ec2Client,
vpcID: b.vpcID,
clusterName: b.clusterName,
annotationParser: b.annotationParser,
subnetsResolver: b.subnetsResolver,
certDiscovery: b.certDiscovery,
authConfigBuilder: b.authConfigBuilder,
enhancedBackendBuilder: b.enhancedBackendBuilder,
ruleOptimizer: b.ruleOptimizer,
trackingProvider: b.trackingProvider,
elbv2TaggingManager: b.elbv2TaggingManager,
backendSGProvider: b.backendSGProvider,
logger: b.logger,
enableBackendSG: b.enableBackendSG,
k8sClient: b.k8sClient,
eventRecorder: b.eventRecorder,
ec2Client: b.ec2Client,
vpcID: b.vpcID,
clusterName: b.clusterName,
annotationParser: b.annotationParser,
subnetsResolver: b.subnetsResolver,
certDiscovery: b.certDiscovery,
authConfigBuilder: b.authConfigBuilder,
enhancedBackendBuilder: b.enhancedBackendBuilder,
ruleOptimizer: b.ruleOptimizer,
trackingProvider: b.trackingProvider,
elbv2TaggingManager: b.elbv2TaggingManager,
backendSGProvider: b.backendSGProvider,
logger: b.logger,
enableBackendSG: b.enableBackendSG,
disableRestrictedSGRules: b.disableRestrictedSGRules,

ingGroup: ingGroup,
stack: stack,
Expand Down Expand Up @@ -163,11 +166,12 @@ type defaultModelBuildTask struct {
elbv2TaggingManager elbv2deploy.TaggingManager
logger logr.Logger

ingGroup Group
sslRedirectConfig *SSLRedirectConfig
stack core.Stack
backendSGIDToken core.StringToken
enableBackendSG bool
ingGroup Group
sslRedirectConfig *SSLRedirectConfig
stack core.Stack
backendSGIDToken core.StringToken
enableBackendSG bool
disableRestrictedSGRules bool

defaultTags map[string]string
externalManagedTags sets.String
Expand Down
Loading

0 comments on commit 92445ac

Please sign in to comment.