Make the AdminAccess default inclusive of IPv6

2021-06-14 21:15:01 -07:00 · 2021-06-14 21:15:01 -07:00 · 1356818d83
parent bfd0b6d9ba
commit 1356818d83
3 changed files with 6 additions and 6 deletions
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@ -257,7 +257,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().StringVar(&options.DNSZone, "dns-zone", options.DNSZone, "DNS hosted zone to use (defaults to longest matching zone)")
 	cmd.Flags().StringVar(&options.OutDir, "out", options.OutDir, "Path to write any local output")
 	cmd.Flags().StringSliceVar(&options.AdminAccess, "admin-access", options.AdminAccess, "Restrict API access to this CIDR.  If not set, access will not be restricted by IP.")
-	cmd.Flags().StringSliceVar(&options.SSHAccess, "ssh-access", options.SSHAccess, "Restrict SSH access to this CIDR.  If not set, access will not be restricted by IP. (default [0.0.0.0/0])")
+	cmd.Flags().StringSliceVar(&options.SSHAccess, "ssh-access", options.SSHAccess, "Restrict SSH access to this CIDR.  If not set, uses the value of the admin-access flag.")

 	// TODO: Can we deprecate this flag - it is awkward?
 	cmd.Flags().BoolVar(&associatePublicIP, "associate-public-ip", false, "Specify --associate-public-ip=[true|false] to enable/disable association of public IP for master ASG and nodes. Default is 'true'.")
--- a/docs/cli/kops_create_cluster.md
+++ b/docs/cli/kops_create_cluster.md
@ -66,7 +66,7 @@ kops create cluster [flags]
 ### Options

 ```
-      --admin-access strings             Restrict API access to this CIDR.  If not set, access will not be restricted by IP. (default [0.0.0.0/0])
+      --admin-access strings             Restrict API access to this CIDR.  If not set, access will not be restricted by IP. (default [0.0.0.0/0,::/0])
      --api-loadbalancer-class string    Currently only supported in AWS. Sets the API loadbalancer class to either 'classic' or 'network'
      --api-loadbalancer-type string     Sets the API loadbalancer type to either 'public' or 'internal'
      --api-ssl-certificate string       Currently only supported in AWS. Sets the ARN of the SSL Certificate to use for the API server loadbalancer.
@ -113,7 +113,7 @@ kops create cluster [flags]
      --out string                       Path to write any local output
  -o, --output string                    Output format. One of json|yaml. Used with the --dry-run flag.
      --project string                   Project to use (must be set on GCE)
-      --ssh-access strings               Restrict SSH access to this CIDR.  If not set, access will not be restricted by IP. (default [0.0.0.0/0])
+      --ssh-access strings               Restrict SSH access to this CIDR.  If not set, uses the value of the admin-access flag.
      --ssh-public-key string            SSH public key to use (defaults to ~/.ssh/id_rsa.pub on AWS)
      --subnets strings                  Set to use shared subnets
      --target string                    Valid targets: direct, terraform, cloudformation. Set this flag to terraform if you want kOps to generate terraform (default "direct")
--- a/upup/pkg/fi/cloudup/new_cluster.go
+++ b/upup/pkg/fi/cloudup/new_cluster.go
@ -59,7 +59,7 @@ type NewClusterOptions struct {
 	ConfigBase string
 	// KubernetesVersion is the version of Kubernetes to deploy. It defaults to the version recommended by the channel.
 	KubernetesVersion string
-	// AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0".
+	// AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0" and "::/0".
 	AdminAccess []string
 	// SSHAccess is the set of CIDR blocks permitted to connect to SSH on the nodes. It defaults to the value of AdminAccess.
 	SSHAccess []string
@ -145,7 +145,7 @@ type NewClusterOptions struct {
 func (o *NewClusterOptions) InitDefaults() {
 	o.Channel = api.DefaultChannel
 	o.Authorization = AuthorizationFlagRBAC
-	o.AdminAccess = []string{"0.0.0.0/0"}
+	o.AdminAccess = []string{"0.0.0.0/0", "::/0"}
 	o.Networking = "kubenet"
 	o.Topology = api.TopologyPublic
 	o.DNSType = string(api.DNSTypePublic)
@ -220,7 +220,7 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster
 	}

 	if len(opt.AdminAccess) == 0 {
-		opt.AdminAccess = []string{"0.0.0.0/0"}
+		opt.AdminAccess = []string{"0.0.0.0/0", "::/0"}
 	}
 	cluster.Spec.KubernetesAPIAccess = opt.AdminAccess
 	if len(opt.SSHAccess) != 0 {