Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EC2 security groups meant only for NLB-fronted API server are attached to all machines in the cluster #10517

Closed
seh opened this issue Jan 2, 2021 · 0 comments · Fixed by #10519
Closed

EC2 security groups meant only for NLB-fronted API server are attached to all machines in the cluster #10517

seh opened this issue Jan 2, 2021 · 0 comments · Fixed by #10519

Comments

@seh
Copy link
Contributor

seh commented Jan 2, 2021
edited
Loading

1. What kops version are you running? The command kops version, will display
this information.

1.19.0-beta.3

1. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.

version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:09:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

3. What cloud provider are you using?

AWS

4. What commands did you run? What is the simplest way to reproduce this issue?

  1. Create a cluster with the following Cluster manifest fields set, optionally via kops edit cluster:
  • spec.api.loadBalancer.class
    Set this to "Network"
  • spec.api.loadBalancer.additionalSecurityGroups
    Include at least one security group ID here.
  1. kops update cluster --out=. --target=terraform --create-kube-config=false
  2. terraform apply -auto-approve
  3. Inspect the resulting ASG launch templates using the aws tool or the AWS Web console

1. What happened after the commands executed?

The security group nominated by its ID in the "spec.api.loadBalancer.additionalSecurityGroups" Cluster manifest is applied to all the ASGs involved in the cluster: master machines, worker machines, and bastion machines.

1. What did you expect to happen?

The security group nominated by its ID in the "spec.api.loadBalancer.additionalSecurityGroups" Cluster manifest should be applied to only the ASGs involved in hosting the cluster's API servers: namely, the master machines. Neither the worker machines nor the bastion machines should use this security group.

1. Anything else do we need to know?

This topic came up in discussion in the "kops-users" channel of the "Kubernetes" Slack workspace. There, @rifelpet noted that the defect lies in the (*AutoscalingGroupModelBuilder).buildLaunchConfigurationTask method, where it builds up the security group-related configuration for ASGs in clusters using an NLB in front of the API servers. It looks like we should skip that step if the target InstanceGroup role is not "Master."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Only include API server additional security groups in InstanceGroups for masters seh/kops
1 participant
@seh