From 252d4177f0109d6a51e347c95f4a1858cfdbd3c0 Mon Sep 17 00:00:00 2001 From: "Steven E. Harris" Date: Sun, 3 Jan 2021 10:47:58 -0500 Subject: [PATCH] Only include API server SGs in IGs for masters When using an AWS NLB in front of the Kubernetes API servers, we can't attach the EC2 security groups nominated in the Cluster "spec.api.loadBalancer.additionalSecurityGroups" field directly to the load balancer, as NLBs don't have associated security groups. Instead, we intend to attach those nominated security groups to the machines that will receive network traffic forwarded from the NLB's listeners. For the API servers, since that program runs only on the master or control plane machines, we need only attach those security groups to the machines that will host the "kube-apiserver" program, by way of the ASG launch templates that come from kOps InstanceGroups of role "master." We were mistakenly including these security groups in launch templates derived from InstanceGroups of all of our three current roles: "bastion," "master," and "node." Instead, skip InstanceGroups of the "bastion" and "node" roles and only target those of role "master." --- pkg/model/awsmodel/autoscalinggroup.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/model/awsmodel/autoscalinggroup.go b/pkg/model/awsmodel/autoscalinggroup.go index 365e7b24a8..3c7f8486ac 100644 --- a/pkg/model/awsmodel/autoscalinggroup.go +++ b/pkg/model/awsmodel/autoscalinggroup.go @@ -199,7 +199,7 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB // @step: add the iam instance profile link, err := b.LinkToIAMInstanceProfile(ig) if err != nil { - return nil, fmt.Errorf("unable to find iam profile link for instance group %q: %v", ig.ObjectMeta.Name, err) + return nil, fmt.Errorf("unable to find IAM profile link for instance group %q: %w", ig.ObjectMeta.Name, err) } t := &awstasks.LaunchConfiguration{ @@ -226,7 +226,8 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchConfigurationTask(c *fi.ModelB t.HTTPPutResponseHopLimit = ig.Spec.InstanceMetadata.HTTPPutResponseHopLimit } - if b.APILoadBalancerClass() == kops.LoadBalancerClassNetwork { + if ig.Spec.Role == kops.InstanceGroupRoleMaster && + b.APILoadBalancerClass() == kops.LoadBalancerClassNetwork { for _, id := range b.Cluster.Spec.API.LoadBalancer.AdditionalSecurityGroups { sgTask := &awstasks.SecurityGroup{ ID: fi.String(id),