Open vincepri opened 2 years ago
Yes, very good point. SGs are opinionated and not very flexible other than supporting BYO SGs. Modifying existing SGs are not supported. Need to go through a refactoring, tracked here https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/392
Allowing only VPC CIDR by default will break some use cases (like peered VPC) without the flexibility to modify. So will address this as part of #392.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
From office hours 01/23/23: Work on #392 is underway. Once CAPA supports customizing security groups, we can cover this specific use case in documentation.
/triage accepted /priority import-longterm
@dlipovetsky: The label(s) priority/import-longterm
cannot be applied, because the repository doesn't have them.
/priority important-longterm
/priority important-longterm
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
Hi,
I just added solution when we can specify CIDR blocks instead of default 0.0.0.0/0
.
Any comments or ideas are very appreciated.
When creating a new AWSCluster, part of the infrastructure is creating Security Groups for machines to use.
Currently, the
Node Port Services
security group allows access from any IP. Should we consider making this bit configurable to a set of pre-defined CIDR blocks, or allow the VPC CIDR's by default?https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/0eee2776780168fa4dd3f2edffdb9f3d614973a3/pkg/cloud/services/securitygroup/securitygroups.go#L525-L531
/area security /kind bug /assign @sedefsavas