The provider adds a 0.0.0.0/0 SG rule to Control Plane LB in unmanaged mode. #5196
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
/kind bug
What steps did you take and what happened:
0.0.0.0/0
).What did you expect to happen:
spec.controlPlaneLoadBalancer.ingressRules
field.Anything else you would like to add:
In my test, the provider was configured to create a public NLB for the apiserver, and I had specified additional allowed sources addresses via the AWSCluster
spec.controlPlaneLoadBalancer.ingressRules
fieldI did some digging through the code, and CAPA adds the
0.0.0.0/0
rule if there are no NAT GW IPs available:https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/pkg/cloud/services/securitygroup/securitygroups.go#L951-L952
The NAT GW IPs are set on the
AWSCluster
status inreconcileNatGateways()
but, this short circuits in unmanaged mode, and doesn't attempt to detect the IPs associated with the pre-existing NAT Gateways:https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/pkg/cloud/services/network/natgateways.go#L41-L44
Environment:
v2.6.1
kubectl version
):v1.29.8
/etc/os-release
):The text was updated successfully, but these errors were encountered: