Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecondaryControlPlaneLoadbalancer ingress rules not applied #4865

Closed
r4f4 opened this issue Mar 13, 2024 · 2 comments · Fixed by #4866
Closed

SecondaryControlPlaneLoadbalancer ingress rules not applied #4865

r4f4 opened this issue Mar 13, 2024 · 2 comments · Fixed by #4866
Assignees
@r4f4 @nrb
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@r4f4
Copy link
Contributor

r4f4 commented Mar 13, 2024

/kind bug

What steps did you take and what happened:
Ingress rules specified in the secondary load balancer are not applied.

What did you expect to happen:
All ingress rules to be applied.

Anything else you would like to add:
The following cluster spec:

	awsCluster := &capa.AWSCluster{
		Spec: capa.AWSClusterSpec{
			ControlPlaneLoadBalancer: &capa.AWSLoadBalancerSpec{
				Name:             ptr.To("internal"),
				LoadBalancerType: capa.LoadBalancerTypeNLB,
				Scheme:           &capa.ELBSchemeInternal,
				AdditionalListeners: []capa.AdditionalListenerSpec{
					{
						Port:     22623,
						Protocol: capa.ELBProtocolTCP,
					},
				},
				IngressRules: []capa.IngressRule{
					{
						Description: "Machine Config Server internal traffic from cluster",
						Protocol:    capa.SecurityGroupProtocolTCP,
						FromPort:    22623,
						ToPort:      22623,
						CidrBlocks:  []string{"10.0.0.0/16"},
					},
				},
			},
                       SecondaryControlPlaneLoadBalancer = &capa.AWSLoadBalancerSpec{
			        Name:                   ptr.To("external"),
			        LoadBalancerType:       capa.LoadBalancerTypeNLB,
			        Scheme:                 &capa.ELBSchemeInternetFacing,
			        IngressRules: []capa.IngressRule{
				     {
					     Description: "Kubernetes API Server traffic for public access",
					     Protocol:    capa.SecurityGroupProtocolTCP,
					     FromPort:    6443,
					     ToPort:      6443,
					     CidrBlocks:  []string{"0.0.0.0/0"},
				     },
                               },
			},
		},
	}

The allow-all on 6443 rules won't be applied to the security group.

Environment:

  • Cluster-api-provider-aws version: main @ b2bebfb
  • Kubernetes version: (use kubectl version): 1.29
  • OS (e.g. from /etc/os-release): RHCOS
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 13, 2024
@nrb
Copy link
Contributor

nrb commented Mar 13, 2024

/assign
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 13, 2024
@nrb nrb mentioned this issue Mar 13, 2024
Merged
@r4f4 r4f4 mentioned this issue Mar 13, 2024
Merged
5 tasks
@nrb
Copy link
Contributor

nrb commented Mar 13, 2024

/assign @r4f4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@r4f4 r4f4

@nrb nrb

Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 fix: create ingress rules from all load balancers r4f4/cluster-api-provider-aws
3 participants
@r4f4 @nrb @k8s-ci-robot