in eks/ng/security-groups.go [457:819]
func (ts *tester) revokeSecurityGroups() (err error) {
ts.cfg.Logger.Info("revoking security group")
if ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID == "" {
return nil
}
// allow node to communicate with each other
ts.cfg.Logger.Info("revoking IngressWithinNodeGroupSecurityGroup", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("-1"),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("allow node to communicate with each other"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked IngressWithinNodeGroupSecurityGroup")
// allow pods to communicate with the cluster API Server
ts.cfg.Logger.Info("revoking Ingress443FromNGtoCP", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("allow pods to communicate with the cluster API Server"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked Ingress443FromNGtoCP")
// allow pods running extension API servers on port 443
// to receive communication from cluster control plane
ts.cfg.Logger.Info("revoking Ingress443FromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
Description: aws_v2.String("receive communication from cluster control plane"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked Ingress443FromCPtoNG")
// allow the cluster control plane to communicate with pods running extension API servers on port 443
ts.cfg.Logger.Info("revoking Egress443FromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(443),
ToPort: aws_v2.Int32(443),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("communicate with pods running extension API servers on port 443"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked Egress443FromCPtoNG")
// allow worker Kubelets and pods to receive communication from the cluster control plane
ts.cfg.Logger.Info("revoking IngressAllFromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(0),
ToPort: aws_v2.Int32(65535),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
Description: aws_v2.String("receive communication from the cluster control plane"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked IngressAllFromCPtoNG")
// allow the cluster control plane to communicate with worker Kubelet and pods
ts.cfg.Logger.Info("revoking EgressAllFromCPtoNG", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(0),
ToPort: aws_v2.Int32(65535),
UserIdGroupPairs: []aws_ec2_v2_types.UserIdGroupPair{
{
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
Description: aws_v2.String("communicate with worker Kubelet and pods"),
VpcId: aws_v2.String(ts.cfg.EKSConfig.VPC.ID),
},
},
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked EgressAllFromCPtoNG")
ts.cfg.Logger.Info("revoking Ingress22ForSSH", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(22),
ToPort: aws_v2.Int32(22),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked Ingress22ForSSH")
ts.cfg.Logger.Info("revoking IngressForGuestBook", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(10000),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked IngressForGuestBook")
ts.cfg.Logger.Info("revoking EgressForGuestBook", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupEgress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupEgressInput{
// egress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.SecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(10000),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke egress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked EgressForGuestBook")
ts.cfg.Logger.Info("revoking IngressForNodePortConformance", zap.String("sg-id", ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID))
_, err = ts.cfg.EC2APIV2.RevokeSecurityGroupIngress(
context.Background(),
&aws_ec2_v2.RevokeSecurityGroupIngressInput{
// ingress target
GroupId: aws_v2.String(ts.cfg.EKSConfig.VPC.NodeGroupSecurityGroupID),
IpPermissions: []aws_ec2_v2_types.IpPermission{
{
IpProtocol: aws_v2.String("tcp"),
IpRanges: []aws_ec2_v2_types.IpRange{
{
CidrIp: aws_v2.String("0.0.0.0/0"),
},
},
FromPort: aws_v2.Int32(1),
ToPort: aws_v2.Int32(32767),
},
},
},
)
if err != nil {
ts.cfg.Logger.Warn("failed to revoke ingress", zap.Error(err))
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if strings.Contains(apiErr.ErrorCode(), "NotFound") {
err = nil
}
}
if err != nil {
return err
}
}
ts.cfg.Logger.Info("revoked IngressForNodePortConformance")
ts.cfg.Logger.Info("revoked security group")
return nil
}