From a7040d40041941cd4a649e7c5caf98c26cfbbb90 Mon Sep 17 00:00:00 2001
From: atiratree <atiratree@gmail.com>
Date: Mon, 6 Dec 2021 15:13:52 +0100
Subject: [PATCH] Revert "open cluster-policy-controller ports for metrics"

This reverts commit 2636aef6cdf0f897f98446e29c969d61b6b009a7.
---
 data/data/aws/cluster/vpc/sg-master.tf        | 22 -------------------
 data/data/gcp/cluster/network/firewall.tf     |  6 -----
 .../ibmcloud/network/vpc/security-groups.tf   | 11 ----------
 data/data/openstack/topology/sg-master.tf     | 11 ----------
 .../cloudformation/03_cluster_security.yaml   | 20 -----------------
 upi/gcp/03_firewall.py                        |  3 ---
 upi/openstack/security-groups.yaml            |  8 -------
 7 files changed, 81 deletions(-)

diff --git a/data/data/aws/cluster/vpc/sg-master.tf b/data/data/aws/cluster/vpc/sg-master.tf
index dcef78b41c..4424b875c2 100644
--- a/data/data/aws/cluster/vpc/sg-master.tf
+++ b/data/data/aws/cluster/vpc/sg-master.tf
@@ -289,28 +289,6 @@ resource "aws_security_group_rule" "master_ingress_kube_controller_manager_from_
   to_port   = 10257
 }
 
-resource "aws_security_group_rule" "master_ingress_cluster_policy_controller" {
-  type              = "ingress"
-  security_group_id = aws_security_group.master.id
-  description       = local.description
-
-  protocol  = "tcp"
-  from_port = 10357
-  to_port   = 10357
-  self      = true
-}
-
-resource "aws_security_group_rule" "master_ingress_cluster_policy_controller_from_worker" {
-  type                     = "ingress"
-  security_group_id        = aws_security_group.master.id
-  source_security_group_id = aws_security_group.worker.id
-  description              = local.description
-
-  protocol  = "tcp"
-  from_port = 10357
-  to_port   = 10357
-}
-
 resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
   type              = "ingress"
   security_group_id = aws_security_group.master.id
diff --git a/data/data/gcp/cluster/network/firewall.tf b/data/data/gcp/cluster/network/firewall.tf
index 55d0c4642f..1e2af5bc9d 100644
--- a/data/data/gcp/cluster/network/firewall.tf
+++ b/data/data/gcp/cluster/network/firewall.tf
@@ -54,12 +54,6 @@ resource "google_compute_firewall" "control_plane" {
     ports    = ["10257"]
   }
 
-  # cluster policy controller
-  allow {
-    protocol = "tcp"
-    ports    = ["10357"]
-  }
-
   # kube scheduler
   allow {
     protocol = "tcp"
diff --git a/data/data/ibmcloud/network/vpc/security-groups.tf b/data/data/ibmcloud/network/vpc/security-groups.tf
index 9340d4eca6..470de4f494 100644
--- a/data/data/ibmcloud/network/vpc/security-groups.tf
+++ b/data/data/ibmcloud/network/vpc/security-groups.tf
@@ -238,17 +238,6 @@ resource "ibm_is_security_group_rule" "control_plane_internal_kube_default_ports
   }
 }
 
-# Cluster policy controller port
-resource "ibm_is_security_group_rule" "control_plane_internal_cluster_policy_controller_ports_inbound" {
-  group     = ibm_is_security_group.control_plane_internal.id
-  direction = "inbound"
-  remote    = ibm_is_security_group.control_plane_internal.id
-  tcp {
-    port_min = 10357
-    port_max = 10357
-  }
-}
-
 # Kubernetes API - inbound
 resource "ibm_is_security_group_rule" "control_plane_kubernetes_api_inbound" {
   group     = ibm_is_security_group.control_plane.id
diff --git a/data/data/openstack/topology/sg-master.tf b/data/data/openstack/topology/sg-master.tf
index fe85d2483a..c34f4e3f79 100644
--- a/data/data/openstack/topology/sg-master.tf
+++ b/data/data/openstack/topology/sg-master.tf
@@ -182,17 +182,6 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller
   description       = local.description
 }
 
-resource "openstack_networking_secgroup_rule_v2" "master_ingress_cluster_policy_controller" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 10357
-  port_range_max    = 10357
-  remote_ip_prefix  = var.cidr_block
-  security_group_id = openstack_networking_secgroup_v2.master.id
-  description       = local.description
-}
-
 resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure" {
   direction         = "ingress"
   ethertype         = "IPv4"
diff --git a/upi/aws/cloudformation/03_cluster_security.yaml b/upi/aws/cloudformation/03_cluster_security.yaml
index ba11b5d0a1..ece4aeb2db 100644
--- a/upi/aws/cloudformation/03_cluster_security.yaml
+++ b/upi/aws/cloudformation/03_cluster_security.yaml
@@ -250,26 +250,6 @@ Resources:
       ToPort: 10259
       IpProtocol: tcp
 
-  MasterIngressCPC:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      GroupId: !GetAtt MasterSecurityGroup.GroupId
-      SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
-      Description: Cluster policy controller
-      FromPort: 10357
-      ToPort: 10357
-      IpProtocol: tcp
-
-  MasterIngressWorkerCPC:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      GroupId: !GetAtt MasterSecurityGroup.GroupId
-      SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
-      Description: Cluster policy controller
-      FromPort: 10357
-      ToPort: 10357
-      IpProtocol: tcp
-
   MasterIngressIngressServices:
     Type: AWS::EC2::SecurityGroupIngress
     Properties:
diff --git a/upi/gcp/03_firewall.py b/upi/gcp/03_firewall.py
index f231a21e89..ad5523141c 100644
--- a/upi/gcp/03_firewall.py
+++ b/upi/gcp/03_firewall.py
@@ -62,9 +62,6 @@ def GenerateConfig(context):
             },{
                 'IPProtocol': 'tcp',
                 'ports': ['22623']
-            },{
-                'IPProtocol': 'tcp',
-                'ports': ['10357']
             }],
             'sourceTags': [
                 context.properties['infra_id'] + '-master',
diff --git a/upi/openstack/security-groups.yaml b/upi/openstack/security-groups.yaml
index bc11b46ada..b57456d6a8 100644
--- a/upi/openstack/security-groups.yaml
+++ b/upi/openstack/security-groups.yaml
@@ -142,14 +142,6 @@
       port_range_min: 10257
       port_range_max: 10257
 
-  - name: 'Create master-sg rule "cluster policy controller"'
-    os_security_group_rule:
-      security_group: "{{ os_sg_master }}"
-      protocol: tcp
-      remote_ip_prefix: "{{ os_subnet_range }}"
-      port_range_min: 10357
-      port_range_max: 10357
-
   - name: 'Create master-sg rule "master ingress kubelet secure"'
     os_security_group_rule:
       security_group: "{{ os_sg_master }}"