Skip to content

✨ Feature: restrict API Server LB access via IPs #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 15, 2022
Merged

✨ Feature: restrict API Server LB access via IPs #1247

merged 1 commit into from
Jun 15, 2022

Conversation

@bavarianbidi
Copy link
Contributor

@bavarianbidi bavarianbidi commented May 23, 2022
edited
Loading

Access to API-Server can be restricted by setting allowedCidrs on spec.APIServerLoadBalancer.AllowedCIDRs.

Behavior:

  1. outgoing NAT Router-IPs is now part of the status:

    cluster-api-provider-openstack/pkg/cloud/services/networking/router.go

    Lines 73 to 83 in 9830f57

    routerIPs := []string{}
    for _, ip := range router.GatewayInfo.ExternalFixedIPs {
    routerIPs = append(routerIPs, ip.IPAddress)
    }
    openStackCluster.Status.Network.Router = &infrav1.Router{
    Name: router.Name,
    ID: router.ID,
    Tags: router.Tags,
    IPs: routerIPs,
    }
  2. once spec.APIServerLoadBalancer.AllowedCIDRs changed (create/update), CAPO will fetch all known required IP addresses from spec and status and will generate a new list of allowed CIDRs

    cluster-api-provider-openstack/pkg/cloud/services/loadbalancer/loadbalancer.go

    Lines 193 to 207 in 9830f57

    if len(openStackCluster.Spec.APIServerLoadBalancer.AllowedCIDRs) > 0 {
    allowedCIDRs = append(allowedCIDRs, openStackCluster.Spec.APIServerLoadBalancer.AllowedCIDRs...)
    if openStackCluster.Spec.Bastion.Enabled {
    allowedCIDRs = append(allowedCIDRs, openStackCluster.Status.Bastion.FloatingIP, openStackCluster.Status.Bastion.IP)
    }
    if openStackCluster.Status.Network.Subnet.CIDR != "" {
    allowedCIDRs = append(allowedCIDRs, openStackCluster.Status.Network.Subnet.CIDR)
    }
    if len(openStackCluster.Status.Network.Router.IPs) > 0 {
    allowedCIDRs = append(allowedCIDRs, openStackCluster.Status.Network.Router.IPs...)
    }
    }
  3. after allowed_cidrs on OpenStack are updated on the corresponding listener, the list of applied CIDRs will be written back to the status

    cluster-api-provider-openstack/pkg/cloud/services/loadbalancer/loadbalancer.go

    Lines 113 to 119 in 9830f57

    openStackCluster.Status.Network.APIServerLoadBalancer = &infrav1.LoadBalancer{
    Name: lb.Name,
    ID: lb.ID,
    InternalIP: lb.VipAddress,
    IP: lbFloatingIP,
    AllowedCIDRs: allowedCIDRs,
    }

Conclusion:

  • only one additional request towards openstack - whenever the on OpenSTack applied CIDRs differes from the spec
  • spec.APIServerLoadBalancer.AllowedCIDRs is now mutable

Open questions:

  1. IP/CIDR validation during cluster-spec editing ?
    current implementation doesn't validate IPs during creation/editing of cluster-spec. IP validation will be done afterwards and non-valid IPs will get removed.
    Is this ok or should we already validate the CIDRs in the webhook?

Signed-off-by: Mario Constanti [email protected]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1045

Special notes for your reviewer:

With

cluster-api-provider-openstack/api/v1alpha4/conversion.go

Lines 36 to 40 in 9830f57

// Manually restore data.
restored := &infrav1.OpenStackCluster{}
if ok, err := utilconversion.UnmarshalData(r, restored); err != nil || !ok {
return err
}
and

cluster-api-provider-openstack/api/v1alpha4/conversion.go

Lines 62 to 65 in 9830f57

// Preserve Hub data on down-conversion except for metadata
if err := utilconversion.MarshalData(src, r); err != nil {
return err
}
we will now get the cluster.x-k8s.io/conversion-data Annotation if we query CAPO-related resources in a previous CAPO-Version.

This is currently missing but needed in general.
E.g. compare the output of k get cluster.v1alpha4.cluster.x-k8s.io and k get cluster.v1beta1.cluster.x-k8s.io where conversion is fine versus CAPO - e.g. k get osc.v1alpha4.infrastructure.cluster.x-k8s.io where we don't have the cluster.x-k8s.io/conversion-data annotation yet.

xref: SIG Cluster Lifecycle - ClusterAPI - API conversion code walkthrough

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 23, 2022
@netlify
Copy link

netlify bot commented May 23, 2022
edited
Loading

Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name Link
🔨 Latest commit e78f0b8
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/62a6ce30ed7f740008cd0542
😎 Deploy Preview https://deploy-preview-1247--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented May 23, 2022

Hi @bavarianbidi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 23, 2022
@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label May 23, 2022
@bavarianbidi bavarianbidi mentioned this pull request May 23, 2022
Closed
2 tasks
@jichenjc
Copy link
Contributor

jichenjc commented May 23, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 23, 2022
@apricote apricote mentioned this pull request May 25, 2022
Merged
@jichenjc
Copy link
Contributor

jichenjc commented May 27, 2022

/test pull-cluster-api-provider-openstack-test

@bavarianbidi
Copy link
Contributor Author

bavarianbidi commented May 27, 2022

@bavarianbidi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-openstack-test 12abd16 link true /test pull-cluster-api-provider-openstack-test
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

wondering why this test doesn't fail on my local machine 🤷 will fix it on monday

@jichenjc
Copy link
Contributor

jichenjc commented May 30, 2022

looks like this is Fuzzy test failure :) so need check the Convert function failure
so local test might pass because of lucky ?

@bavarianbidi bavarianbidi force-pushed the firewall_restriction_on_api_lb branch from 12abd16 to 8922a62 Compare May 30, 2022 04:58
@bavarianbidi
Copy link
Contributor Author

bavarianbidi commented May 30, 2022
edited
Loading

looks like this is Fuzzy test failure :) so need check the Convert function failure so local test might pass because of lucky ?

had to rebase again, as openstackclustertemplate conversion was added 5 days ago. I guess some caching issues in the test-instance ¯\_(ツ)_/¯

seanschneeweiss
seanschneeweiss reviewed Jun 1, 2022
View reviewed changes
Copy link
Contributor

@seanschneeweiss seanschneeweiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. Thanks a lot for the documentation too. This is a great feature.

jichenjc
jichenjc reviewed Jun 1, 2022
View reviewed changes
apricote
apricote reviewed Jun 2, 2022
View reviewed changes
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 8, 2022
tobiasgiese
tobiasgiese reviewed Jun 12, 2022
View reviewed changes
Copy link
Member

@tobiasgiese tobiasgiese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this great contribution! 👌🏻

@bavarianbidi
Feature: restrict API Server LB access
e78f0b8 
* Access to API-Server can be restricted by setting allowedCidrs on
  spec.APIServerLoadBalancer.AllowedCIDRs field
* Default LB provider is set to amphora if multiple providers exist.
  Features like access restriction via IPs is only supported in amphora.
* Outgoing NAT Router-IPs are now part of the OpenStackCluster status.
* To support the entire feature set of conversion, the
  cluster.x-k8s.io/conversion-data annotation got introduced if quering
objects in a previous api version.
* make generate now regenerate the mock loadbalancer_service client if
  needed

Signed-off-by: Mario Constanti <[email protected]>
@bavarianbidi bavarianbidi force-pushed the firewall_restriction_on_api_lb branch from 463c45f to e78f0b8 Compare June 13, 2022 05:42
@bavarianbidi bavarianbidi requested a review from tobiasgiese June 13, 2022 05:46
@jichenjc
Copy link
Contributor

jichenjc commented Jun 13, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 13, 2022
@tobiasgiese
Copy link
Member

tobiasgiese commented Jun 13, 2022

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 13, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bavarianbidi, tobiasgiese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2022
@bavarianbidi
Copy link
Contributor Author

bavarianbidi commented Jun 15, 2022

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 15, 2022
@k8s-ci-robot k8s-ci-robot merged commit 217844f into kubernetes-sigs:main Jun 15, 2022
@Xenwar Xenwar mentioned this pull request Jun 19, 2022
Closed
@bavarianbidi bavarianbidi mentioned this pull request Jun 23, 2022
Merged
15 tasks
@apricote apricote mentioned this pull request Aug 24, 2022
Merged
3 tasks
@bavarianbidi bavarianbidi mentioned this pull request Sep 7, 2022
Closed
@nikParasyr nikParasyr mentioned this pull request Jan 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apricote apricote Awaiting requested review from apricote

@seanschneeweiss seanschneeweiss Awaiting requested review from seanschneeweiss

@jichenjc jichenjc Awaiting requested review from jichenjc

@tobiasgiese tobiasgiese Awaiting requested review from tobiasgiese

Assignees

@jichenjc jichenjc

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce an easy way to limit access to k8s api when ManagedAPIServerLoadBalancer: true

6 participants

@bavarianbidi @k8s-ci-robot @jichenjc @tobiasgiese @apricote @seanschneeweiss