diff --git a/api/hypershift/v1alpha1/hostedcluster_types.go b/api/hypershift/v1alpha1/hostedcluster_types.go index cbbea5a13e2..dcf843a1421 100644 --- a/api/hypershift/v1alpha1/hostedcluster_types.go +++ b/api/hypershift/v1alpha1/hostedcluster_types.go @@ -1987,8 +1987,8 @@ type PlatformStatus struct { // AWSPlatformStatus contains status specific to the AWS platform type AWSPlatformStatus struct { // DefaultWorkerSecurityGroupID is the ID of a security group created by - // the control plane operator. It is used for NodePools that don't specify a - // security group. + // the control plane operator. It is always added to worker machines in + // addition to any security groups specified in the NodePool. // +optional DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"` } diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go index 4eb1f142618..2fde6a28162 100644 --- a/api/hypershift/v1beta1/hostedcluster_types.go +++ b/api/hypershift/v1beta1/hostedcluster_types.go @@ -2086,8 +2086,8 @@ type PlatformStatus struct { // AWSPlatformStatus contains status specific to the AWS platform type AWSPlatformStatus struct { // DefaultWorkerSecurityGroupID is the ID of a security group created by - // the control plane operator. It is used for NodePools that don't specify a - // security group. + // the control plane operator. It is always added to worker machines in + // addition to any security groups specified in the NodePool. // +optional DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"` } diff --git a/cmd/cluster/aws/create.go b/cmd/cluster/aws/create.go index 3bab999313d..d9c04cab8d1 100644 --- a/cmd/cluster/aws/create.go +++ b/cmd/cluster/aws/create.go @@ -223,7 +223,6 @@ func applyPlatformSpecificsValues(ctx context.Context, exampleOptions *apifixtur Region: infra.Region, Zones: zones, VPCID: infra.VPCID, - SecurityGroupID: infra.SecurityGroupID, InstanceProfile: iamInfo.ProfileName, InstanceType: instanceType, Roles: iamInfo.Roles, diff --git a/cmd/infra/aws/create.go b/cmd/infra/aws/create.go index e433958c5b4..1cdab442821 100644 --- a/cmd/infra/aws/create.go +++ b/cmd/infra/aws/create.go @@ -54,7 +54,6 @@ type CreateInfraOutput struct { MachineCIDR string `json:"machineCIDR"` VPCID string `json:"vpcID"` Zones []*CreateInfraOutputZone `json:"zones"` - SecurityGroupID string `json:"securityGroupID"` Name string `json:"Name"` BaseDomain string `json:"baseDomain"` BaseDomainPrefix string `json:"baseDomainPrefix"` @@ -179,10 +178,6 @@ func (o *CreateInfraOptions) CreateInfra(ctx context.Context, l logr.Logger) (*C if err != nil { return nil, err } - result.SecurityGroupID, err = o.CreateWorkerSecurityGroup(ec2Client, result.VPCID) - if err != nil { - return nil, err - } // Per zone resources var endpointRouteTableIds []*string diff --git a/cmd/infra/aws/ec2_sg.go b/cmd/infra/aws/ec2_sg.go deleted file mode 100644 index f783d944ecc..00000000000 --- a/cmd/infra/aws/ec2_sg.go +++ /dev/null @@ -1,157 +0,0 @@ -package aws - -import ( - "errors" - "fmt" - "time" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/service/ec2" - "github.com/aws/aws-sdk-go/service/ec2/ec2iface" - "github.com/openshift/hypershift/cmd/log" - "github.com/openshift/hypershift/support/awsutil" - - "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/client-go/util/retry" -) - -const duplicatePermissionErrorCode = "InvalidPermission.Duplicate" - -func (o *CreateInfraOptions) CreateWorkerSecurityGroup(client ec2iface.EC2API, vpcID string) (string, error) { - backoff := wait.Backoff{ - Steps: 10, - Duration: 3 * time.Second, - Factor: 1.0, - Jitter: 0.1, - } - groupName := fmt.Sprintf("%s-worker-sg", o.InfraID) - securityGroup, err := o.existingSecurityGroup(client, groupName) - if err != nil { - return "", err - } - if securityGroup == nil { - result, err := client.CreateSecurityGroup(&ec2.CreateSecurityGroupInput{ - GroupName: aws.String(groupName), - Description: aws.String("worker security group"), - VpcId: aws.String(vpcID), - TagSpecifications: o.ec2TagSpecifications("security-group", groupName), - }) - if err != nil { - return "", fmt.Errorf("cannot create worker security group: %w", err) - } - var sgResult *ec2.DescribeSecurityGroupsOutput - err = retry.OnError(backoff, func(error) bool { return true }, func() error { - var err error - sgResult, err = client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{ - GroupIds: []*string{result.GroupId}, - }) - if err != nil || len(sgResult.SecurityGroups) == 0 { - return fmt.Errorf("not found yet") - } - return nil - }) - if err != nil { - return "", fmt.Errorf("cannot find security group that was just created (%s)", aws.StringValue(result.GroupId)) - } - securityGroup = sgResult.SecurityGroups[0] - log.Log.Info("Created security group", "name", groupName, "id", aws.StringValue(securityGroup.GroupId)) - } else { - log.Log.Info("Found existing security group", "name", groupName, "id", aws.StringValue(securityGroup.GroupId)) - } - securityGroupID := aws.StringValue(securityGroup.GroupId) - sgUserID := aws.StringValue(securityGroup.OwnerId) - egressPermissions := awsutil.DefaultWorkerSGEgressRules() - ingressPermissions := awsutil.DefaultWorkerSGIngressRules(DefaultCIDRBlock, securityGroupID, sgUserID) - - var egressToAuthorize []*ec2.IpPermission - var ingressToAuthorize []*ec2.IpPermission - - for _, permission := range egressPermissions { - if !includesPermission(securityGroup.IpPermissionsEgress, permission) { - egressToAuthorize = append(egressToAuthorize, permission) - } - } - - for _, permission := range ingressPermissions { - if !includesPermission(securityGroup.IpPermissions, permission) { - ingressToAuthorize = append(ingressToAuthorize, permission) - } - } - - if len(egressToAuthorize) > 0 { - err = retry.OnError(backoff, func(error) bool { return true }, func() error { - _, err := client.AuthorizeSecurityGroupEgress(&ec2.AuthorizeSecurityGroupEgressInput{ - GroupId: aws.String(securityGroupID), - IpPermissions: egressToAuthorize, - }) - var awsErr awserr.Error - if err != nil { - if errors.As(err, &awsErr) { - // only return an error if the permission has not already been set - if awsErr.Code() != duplicatePermissionErrorCode { - return fmt.Errorf("cannot apply security group egress permissions: %w", err) - } - } - } - return nil - }) - if err != nil { - return "", err - } - log.Log.Info("Authorized egress rules on security group", "id", securityGroupID) - } - if len(ingressToAuthorize) > 0 { - err = retry.OnError(backoff, func(error) bool { return true }, func() error { - _, err := client.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ - GroupId: aws.String(securityGroupID), - IpPermissions: ingressToAuthorize, - }) - var awsErr awserr.Error - if err != nil { - if errors.As(err, &awsErr) { - // only return an error if the permission has not already been set - if awsErr.Code() != duplicatePermissionErrorCode { - return fmt.Errorf("cannot apply security group ingress permissions: %w", err) - } - } - } - return nil - }) - if err != nil { - return "", err - } - log.Log.Info("Authorized ingress rules on security group", "id", securityGroupID) - } - return securityGroupID, nil -} - -func (o *CreateInfraOptions) existingSecurityGroup(client ec2iface.EC2API, name string) (*ec2.SecurityGroup, error) { - result, err := client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{Filters: o.ec2Filters(name)}) - if err != nil { - return nil, fmt.Errorf("cannot list security groups: %w", err) - } - for _, sg := range result.SecurityGroups { - return sg, nil - } - return nil, nil -} - -func includesPermission(list []*ec2.IpPermission, permission *ec2.IpPermission) bool { - for _, p := range list { - if samePermission(p, permission) { - return true - } - } - return false -} - -func samePermission(a, b *ec2.IpPermission) bool { - if a == nil || b == nil { - return false - } - if a.String() == b.String() { - return true - } - return false -} diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index abb9d8fa89e..861b74af5b1 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -4036,8 +4036,8 @@ spec: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object @@ -8296,8 +8296,8 @@ spec: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index 75c80f0c8c3..f64dc31b74e 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -4035,8 +4035,8 @@ spec: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object @@ -8265,8 +8265,8 @@ spec: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md index caa14c848af..43d6c5f7eb5 100644 --- a/docs/content/reference/api.md +++ b/docs/content/reference/api.md @@ -1484,8 +1484,8 @@ string (Optional)

DefaultWorkerSecurityGroupID is the ID of a security group created by -the control plane operator. It is used for NodePools that don’t specify a -security group.

+the control plane operator. It is always added to worker machines in +addition to any security groups specified in the NodePool.

diff --git a/examples/fixtures/example.go b/examples/fixtures/example.go index 7c4f508e7f7..497ab62ee7c 100644 --- a/examples/fixtures/example.go +++ b/examples/fixtures/example.go @@ -636,11 +636,6 @@ func (o ExampleOptions) Resources() *ExampleResources { Subnet: &hyperv1.AWSResourceReference{ ID: zone.SubnetID, }, - SecurityGroups: []hyperv1.AWSResourceReference{ - { - ID: &o.AWS.SecurityGroupID, - }, - }, RootVolume: &hyperv1.Volume{ Size: o.AWS.RootVolumeSize, Type: o.AWS.RootVolumeType, diff --git a/examples/fixtures/example_aws.go b/examples/fixtures/example_aws.go index d4cb6f8a230..da8f4d7b9a7 100644 --- a/examples/fixtures/example_aws.go +++ b/examples/fixtures/example_aws.go @@ -8,7 +8,6 @@ type ExampleAWSOptions struct { Region string Zones []ExampleAWSOptionsZones VPCID string - SecurityGroupID string InstanceProfile string InstanceType string Roles hyperv1.AWSRolesRef diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 11510b49828..7cc4e66b894 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -40347,8 +40347,8 @@ objects: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object @@ -44624,8 +44624,8 @@ objects: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object @@ -49089,8 +49089,8 @@ objects: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object @@ -53336,8 +53336,8 @@ objects: defaultWorkerSecurityGroupID: description: |- DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is used for NodePools that don't specify a - security group. + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. type: string type: object type: object diff --git a/hypershift-operator/controllers/nodepool/aws.go b/hypershift-operator/controllers/nodepool/aws.go index 185b3e12444..c9b12f4652b 100644 --- a/hypershift-operator/controllers/nodepool/aws.go +++ b/hypershift-operator/controllers/nodepool/aws.go @@ -55,7 +55,7 @@ func awsMachineTemplateSpec(infraName, ami string, hostedCluster *hyperv1.Hosted securityGroups := []capiaws.AWSResourceReference{} for _, sg := range nodePool.Spec.Platform.AWS.SecurityGroups { - filters := []capiaws.Filter{} + var filters []capiaws.Filter for _, f := range sg.Filters { filters = append(filters, capiaws.Filter{ Name: f.Name, @@ -67,7 +67,7 @@ func awsMachineTemplateSpec(infraName, ami string, hostedCluster *hyperv1.Hosted Filters: filters, }) } - if len(securityGroups) == 0 && defaultSG { + if defaultSG { if hostedCluster.Status.Platform == nil || hostedCluster.Status.Platform.AWS == nil || hostedCluster.Status.Platform.AWS.DefaultWorkerSecurityGroupID == "" { return nil, &NotReadyError{fmt.Errorf("the default security group for the HostedCluster has not been created")} } diff --git a/hypershift-operator/controllers/nodepool/aws_test.go b/hypershift-operator/controllers/nodepool/aws_test.go index 75028137e76..591348b9563 100644 --- a/hypershift-operator/controllers/nodepool/aws_test.go +++ b/hypershift-operator/controllers/nodepool/aws_test.go @@ -29,7 +29,7 @@ func TestAWSMachineTemplate(t *testing.T) { testCases := []struct { name string cluster hyperv1.HostedClusterSpec - clusterStatus hyperv1.HostedClusterStatus + clusterStatus *hyperv1.HostedClusterStatus nodePool hyperv1.NodePoolSpec expected *capiaws.AWSMachineTemplate checkError func(*testing.T, error) @@ -45,8 +45,7 @@ func TestAWSMachineTemplate(t *testing.T) { Platform: hyperv1.NodePoolPlatform{ Type: hyperv1.AWSPlatform, AWS: &hyperv1.AWSNodePoolPlatform{ - RootVolume: &volume, - SecurityGroups: defaultSG, + RootVolume: &volume, }, }, Release: hyperv1.Release{}, @@ -57,7 +56,6 @@ func TestAWSMachineTemplate(t *testing.T) { { name: "Tags from nodepool get copied", nodePool: hyperv1.NodePoolSpec{Platform: hyperv1.NodePoolPlatform{AWS: &hyperv1.AWSNodePoolPlatform{ - SecurityGroups: defaultSG, ResourceTags: []hyperv1.AWSResourceTag{ {Key: "key", Value: "value"}, }, @@ -74,7 +72,7 @@ func TestAWSMachineTemplate(t *testing.T) { {Key: "key", Value: "value"}, }, }}}, - nodePool: hyperv1.NodePoolSpec{Platform: hyperv1.NodePoolPlatform{AWS: &hyperv1.AWSNodePoolPlatform{SecurityGroups: defaultSG}}}, + nodePool: hyperv1.NodePoolSpec{Platform: hyperv1.NodePoolPlatform{AWS: &hyperv1.AWSNodePoolPlatform{}}}, expected: defaultAWSMachineTemplate(func(tmpl *capiaws.AWSMachineTemplate) { tmpl.Spec.Template.Spec.AdditionalTags["key"] = "value" @@ -89,7 +87,6 @@ func TestAWSMachineTemplate(t *testing.T) { }, }}}, nodePool: hyperv1.NodePoolSpec{Platform: hyperv1.NodePoolPlatform{AWS: &hyperv1.AWSNodePoolPlatform{ - SecurityGroups: defaultSG, ResourceTags: []hyperv1.AWSResourceTag{ {Key: "nodepool-only", Value: "value"}, {Key: "cluster-and-nodepool", Value: "nodepool"}, @@ -104,23 +101,23 @@ func TestAWSMachineTemplate(t *testing.T) { }, { name: "Cluster default sg is used when none specified", - clusterStatus: hyperv1.HostedClusterStatus{Platform: &hyperv1.PlatformStatus{AWS: &hyperv1.AWSPlatformStatus{DefaultWorkerSecurityGroupID: "cluster-default"}}}, + clusterStatus: &hyperv1.HostedClusterStatus{Platform: &hyperv1.PlatformStatus{AWS: &hyperv1.AWSPlatformStatus{DefaultWorkerSecurityGroupID: "cluster-default"}}}, expected: defaultAWSMachineTemplate(func(tmpl *capiaws.AWSMachineTemplate) { tmpl.Spec.Template.Spec.AdditionalSecurityGroups = []capiaws.AWSResourceReference{{ID: k8sutilspointer.String("cluster-default")}} }), }, { - name: "NodePool sg is preferred to cluster default", - clusterStatus: hyperv1.HostedClusterStatus{Platform: &hyperv1.PlatformStatus{AWS: &hyperv1.AWSPlatformStatus{DefaultWorkerSecurityGroupID: "cluster-default"}}}, + name: "NodePool sg is used in addition to cluster default", nodePool: hyperv1.NodePoolSpec{Platform: hyperv1.NodePoolPlatform{AWS: &hyperv1.AWSNodePoolPlatform{ SecurityGroups: []hyperv1.AWSResourceReference{{ID: k8sutilspointer.String("nodepool-specific")}}, }}}, expected: defaultAWSMachineTemplate(func(tmpl *capiaws.AWSMachineTemplate) { - tmpl.Spec.Template.Spec.AdditionalSecurityGroups = []capiaws.AWSResourceReference{{ID: k8sutilspointer.String("nodepool-specific")}} + tmpl.Spec.Template.Spec.AdditionalSecurityGroups = []capiaws.AWSResourceReference{{ID: k8sutilspointer.String("nodepool-specific")}, {ID: defaultSG[0].ID}} }), }, { - name: "NotReady error is returned if no sg specified and no cluster sg is available", + name: "NotReady error is returned if no sg specified and no cluster sg is available", + clusterStatus: &hyperv1.HostedClusterStatus{Platform: &hyperv1.PlatformStatus{AWS: &hyperv1.AWSPlatformStatus{DefaultWorkerSecurityGroupID: ""}}}, checkError: func(t *testing.T, err error) { _, isNotReady := err.(*NotReadyError) if err == nil || !isNotReady { @@ -137,7 +134,11 @@ func TestAWSMachineTemplate(t *testing.T) { if tc.nodePool.Platform.AWS == nil { tc.nodePool.Platform.AWS = &hyperv1.AWSNodePoolPlatform{} } - result, err := awsMachineTemplateSpec(infraName, amiName, &hyperv1.HostedCluster{Spec: tc.cluster, Status: tc.clusterStatus}, &hyperv1.NodePool{Spec: tc.nodePool}, true) + clusterStatus := hyperv1.HostedClusterStatus{Platform: &hyperv1.PlatformStatus{AWS: &hyperv1.AWSPlatformStatus{DefaultWorkerSecurityGroupID: *defaultSG[0].ID}}} + if tc.clusterStatus != nil { + clusterStatus = *tc.clusterStatus + } + result, err := awsMachineTemplateSpec(infraName, amiName, &hyperv1.HostedCluster{Spec: tc.cluster, Status: clusterStatus}, &hyperv1.NodePool{Spec: tc.nodePool}, true) if tc.checkError != nil { tc.checkError(t, err) } else { @@ -149,7 +150,7 @@ func TestAWSMachineTemplate(t *testing.T) { return } if !equality.Semantic.DeepEqual(&tc.expected.Spec, result) { - t.Errorf(cmp.Diff(tc.expected.Spec, result)) + t.Errorf(cmp.Diff(&tc.expected.Spec, result)) } }) } diff --git a/hypershift-operator/controllers/nodepool/nodepool_controller.go b/hypershift-operator/controllers/nodepool/nodepool_controller.go index 5088bbae98f..5e991cced86 100644 --- a/hypershift-operator/controllers/nodepool/nodepool_controller.go +++ b/hypershift-operator/controllers/nodepool/nodepool_controller.go @@ -499,8 +499,7 @@ func (r *NodePoolReconciler) reconcile(ctx context.Context, hcluster *hyperv1.Ho }) } - if len(nodePool.Spec.Platform.AWS.SecurityGroups) == 0 && - (hcluster.Status.Platform == nil || hcluster.Status.Platform.AWS == nil || hcluster.Status.Platform.AWS.DefaultWorkerSecurityGroupID == "") { + if hcluster.Status.Platform == nil || hcluster.Status.Platform.AWS == nil || hcluster.Status.Platform.AWS.DefaultWorkerSecurityGroupID == "" { SetStatusCondition(&nodePool.Status.Conditions, hyperv1.NodePoolCondition{ Type: hyperv1.NodePoolAWSSecurityGroupAvailableConditionType, Status: corev1.ConditionFalse, @@ -513,7 +512,7 @@ func (r *NodePoolReconciler) reconcile(ctx context.Context, hcluster *hyperv1.Ho Type: hyperv1.NodePoolAWSSecurityGroupAvailableConditionType, Status: corev1.ConditionTrue, Reason: hyperv1.AsExpectedReason, - Message: "NodePool has a security group", + Message: "NodePool has a default security group", ObservedGeneration: nodePool.Generation, }) } diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1alpha1/hostedcluster_types.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1alpha1/hostedcluster_types.go index cbbea5a13e2..dcf843a1421 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1alpha1/hostedcluster_types.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1alpha1/hostedcluster_types.go @@ -1987,8 +1987,8 @@ type PlatformStatus struct { // AWSPlatformStatus contains status specific to the AWS platform type AWSPlatformStatus struct { // DefaultWorkerSecurityGroupID is the ID of a security group created by - // the control plane operator. It is used for NodePools that don't specify a - // security group. + // the control plane operator. It is always added to worker machines in + // addition to any security groups specified in the NodePool. // +optional DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"` } diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go index 4eb1f142618..2fde6a28162 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go @@ -2086,8 +2086,8 @@ type PlatformStatus struct { // AWSPlatformStatus contains status specific to the AWS platform type AWSPlatformStatus struct { // DefaultWorkerSecurityGroupID is the ID of a security group created by - // the control plane operator. It is used for NodePools that don't specify a - // security group. + // the control plane operator. It is always added to worker machines in + // addition to any security groups specified in the NodePool. // +optional DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"` }