Internal schemed apiserver-lb contains 0.0.0.0/0:6443 inbound rule #5858
Description
/kind bug
What steps did you take and what happened:
When a internal schemed, classic loadBalancerType ELB is created, then the security group which is attached to it contains inbound rule 0.0.0.0/0
What did you expect to happen:
There should be no inbound rule with 0.0.0.0/0 when ELB is internal. An internal LB with 0.0.0.0/0 access defeats the purpose of being "internal". Anyone with network access can reach the API server.
Anything else you would like to add:
This is happening because when apiserver-lb is being created:
we have two sets of rules :
If no explicit Ingress Rules are provided then s.getIngressRuleToAllowAnyIPInTheAPIServer is called.
func (s *Service) getControlPlaneLBIngressRules() infrav1.IngressRules {
ingressRules := infrav1.IngressRules{}
for _, lb := range s.scope.ControlPlaneLoadBalancers() {
if lb != nil && len(lb.IngressRules) > 0 {
ingressRules = append(ingressRules, lb.IngressRules...)
}
}
if len(ingressRules) > 0 {
return ingressRules
}
// If no custom ingress rules have been defined we allow all traffic so that the MC can access the WC API
return s.getIngressRuleToAllowAnyIPInTheAPIServer()
}
and getIngressRuleToAllowAnyIPInTheAPIServer will return the 0.0.0.0 value
func (s *Service) getIngressRuleToAllowAnyIPInTheAPIServer() infrav1.IngressRules {
if s.scope.VPC().IsIPv6Enabled() {
return infrav1.IngressRules{
{
Description: "Kubernetes API IPv6",
Protocol: infrav1.SecurityGroupProtocolTCP,
FromPort: int64(s.scope.APIServerPort()),
ToPort: int64(s.scope.APIServerPort()),
IPv6CidrBlocks: []string{services.AnyIPv6CidrBlock},
},
}
}
return infrav1.IngressRules{
{
Description: "Kubernetes API",
Protocol: infrav1.SecurityGroupProtocolTCP,
FromPort: int64(s.scope.APIServerPort()),
ToPort: int64(s.scope.APIServerPort()),
CidrBlocks: []string{services.AnyIPv4CidrBlock},
},
}
}
Environment:
- Cluster-api-provider-aws version: v2.7.1
- Kubernetes version: (use
kubectl version): - OS (e.g. from
/etc/os-release):