in eks/ng/security-groups.go [93:455]
func (ts *tester) authorizeSecurityGroup() error {
ts.cfg.Logger.Info("authorizing security group",
zap.String("api-server-node-security-group-id", ts.cfg.EKSConfig.VPC.SecurityGroupID),
zap.String("node-group-security-group-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
)
// allow node to communicate with each other
ts.cfg.Logger.Info("authorizing IngressWithinNodeGroupSecurityGroup", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err := ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("-1"),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("allow node to communicate with each other"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized IngressWithinNodeGroupSecurityGroup")
// allow pods to communicate with the cluster API Server
ts.cfg.Logger.Info("authorizing Ingress443FromNGtoCP", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("allow pods to communicate with the cluster API Server"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized Ingress443FromNGtoCP")
// allow pods running extension API servers on port 443
// to receive communication from cluster control plane
ts.cfg.Logger.Info("authorizing Ingress443FromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
Description: aws_v2.String("receive communication from cluster control plane"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized Ingress443FromCPtoNG")
// allow the cluster control plane to communicate with pods running extension API servers on port 443
ts.cfg.Logger.Info("authorizing Egress443FromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("communicate with pods running extension API servers on port 443"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized Egress443FromCPtoNG")
// allow worker Kubelets and pods to receive communication from the cluster control plane
ts.cfg.Logger.Info("authorizing IngressAllFromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(0),
ToPort: aws_v2.Int32(65535),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
Description: aws_v2.String("receive communication from the cluster control plane"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized IngressAllFromCPtoNG")
// allow the cluster control plane to communicate with worker Kubelet and pods
ts.cfg.Logger.Info("authorizing EgressAllFromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(0),
ToPort: aws_v2.Int32(65535),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("communicate with worker Kubelet and pods"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized EgressAllFromCPtoNG")
ts.cfg.Logger.Info("authorizing Ingress22ForSSH", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(22),
ToPort: aws_v2.Int32(22),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized Ingress22ForSSH")
ts.cfg.Logger.Info("authorizing IngressForGuestBook", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(10000),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized IngressForGuestBook")
ts.cfg.Logger.Info("authorizing EgressForGuestBook", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(10000),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized EgressForGuestBook")
ts.cfg.Logger.Info("authorizing IngressForNodePortConformance", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.AuthorizeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.AuthorizeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(32767),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to authorize ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "Duplicate") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("authorized IngressForNodePortConformance")
ts.cfg.Logger.Info("authorized security group")
return nil
}