From a5caaf59676597aa5f189a4d9ad08678a4597ab2 Mon Sep 17 00:00:00 2001 From: Marco Braga Date: Thu, 13 Jun 2024 02:54:15 -0300 Subject: [PATCH] OCPBUGS-35054/capa/byo-vpc/multi-cidr: add MCS rule to controlplane Added security group ingress rule to satisfy the ingress traffic from internal network when the installation is BYO VPC where the machine CIDR, provided in install config, isn't the primary for the VPC. To recap the current CAPA provisioning: - The SGs with suffix 'node', 'lb' and 'controlplane' are created and attached to the control plane nodes - The SGs 'lb' is intended to create ingress rules from listeners (API, MCS, etc), but CAPA enforces the Primary CIDR block of VPC[1] - When deploying BYO VPC with multi-CIDR (managed multi-cidr isn't supported), CAPA creates ingress rules in 'lb' with primary CIDR of VPC, then the control plane instances tries to access the MCS endpoint in the first boot to load ignitions from bootstrap, it is blocked because the LB is created using subnets from the Secondary CIDR block, leading to failed control plane nodes provisioning. This change add ingress rules to MCS (22623/TCP) to SG 'controlplane' from NLB's SG, similar already existing rules for API (reason why API is working). [1] https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/5008 --- pkg/asset/manifests/aws/cluster.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/asset/manifests/aws/cluster.go b/pkg/asset/manifests/aws/cluster.go index f658ff2396..f856cee097 100644 --- a/pkg/asset/manifests/aws/cluster.go +++ b/pkg/asset/manifests/aws/cluster.go @@ -126,7 +126,7 @@ func GenerateClusterAssets(ic *installconfig.InstallConfig, clusterID *installco Protocol: capa.SecurityGroupProtocolTCP, FromPort: 22623, ToPort: 22623, - SourceSecurityGroupRoles: []capa.SecurityGroupRole{"node", "controlplane"}, + SourceSecurityGroupRoles: []capa.SecurityGroupRole{"node", "controlplane", "apiserver-lb"}, }, { Description: "controller-manager",