Only include API server additional security groups in InstanceGroups for masters #10519
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @seh. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
area/provider/aws
seh
force-pushed
the
restrict-api-server-security-groups-to-masters
branch
from
19baedf to
301d1de
Compare
|
This fix looks good to me, can you drop your last commit to address the merge conflicts? copyright year issues were fixed in #10520 |
k8s-ci-robot
added
the
needs-rebase
With glee. That last commit saddened me greatly to see the changed file count climb so high. I'll take care of this on Monday morning. |
|
Looks ok to me too, so... |
k8s-ci-robot
added
ok-to-test
When using an AWS NLB in front of the Kubernetes API servers, we can't attach the EC2 security groups nominated in the Cluster "spec.api.loadBalancer.additionalSecurityGroups" field directly to the load balancer, as NLBs don't have associated security groups. Instead, we intend to attach those nominated security groups to the machines that will receive network traffic forwarded from the NLB's listeners. For the API servers, since that program runs only on the master or control plane machines, we need only attach those security groups to the machines that will host the "kube-apiserver" program, by way of the ASG launch templates that come from kOps InstanceGroups of role "master." We were mistakenly including these security groups in launch templates derived from InstanceGroups of all of our three current roles: "bastion," "master," and "node." Instead, skip InstanceGroups of the "bastion" and "node" roles and only target those of role "master."
seh
force-pushed
the
restrict-api-server-security-groups-to-masters
branch
from
301d1de to
76feb2e
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rifelpet, seh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
lgtm
…19-origin-release-1.19 Automated cherry pick of #10519: Test that AWS launch templates include wrong SG
|
Can we backport this for inclusion in kOps version 1.19? Oh, it's already done in #10528. |
When using an AWS NLB in front of the Kubernetes API servers, we can't attach the EC2 security groups nominated in the Cluster "spec.api.loadBalancer.additionalSecurityGroups" field directly to the load balancer, as NLBs don't have associated security groups. Instead, we intend to attach those nominated security groups to the machines that will receive network traffic forwarded from the NLB's listeners. For the API servers, since that program runs only on the master or control plane machines, we need only attach those security groups to the machines that will host the kube-apiserver program, by way of the ASG launch templates that come from kOps InstanceGroups of role "master."
We were mistakenly including these security groups in launch templates derived from InstanceGroups of all of our three current roles: "bastion," "master," and "node." Instead, skip InstanceGroups of the "bastion" and "node" roles and only target those of role "master."
Fixes #10517.