Add missing NSG rule for control plane Kubelet communication, and fix cluster templates (#23)

shyamradhakrishnan · web-flow · commit 3c1c87e52083 · 2022-03-07T12:08:27.000+05:30
diff --git a/cloud/scope/nsg_reconciler.go b/cloud/scope/nsg_reconciler.go
@@ -643,6 +643,20 @@ func (s *ClusterScope) GetControlPlaneMachineDefaultIngressRules() []infrastruct
 				},
 			},
 		},
+		{
+			IngressSecurityRule: infrastructurev1beta1.IngressSecurityRule{
+				Description: common.String("Control Plane to Control Plane Kubelet Communication"),
+				Protocol:    common.String("6"),
+				TcpOptions: &infrastructurev1beta1.TcpOptions{
+					DestinationPortRange: &infrastructurev1beta1.PortRange{
+						Max: common.Int(10250),
+						Min: common.Int(10250),
+					},
+				},
+				SourceType: infrastructurev1beta1.IngressSecurityRuleSourceTypeCidrBlock,
+				Source:     common.String(ControlPlaneMachineSubnetDefaultCIDR),
+			},
+		},
 	}
 }
 
diff --git a/cloud/scope/nsg_reconciler_test.go b/cloud/scope/nsg_reconciler_test.go
@@ -308,6 +308,20 @@ func TestClusterScope_NSGSpec(t *testing.T) {
 								},
 							},
 						},
+						{
+							IngressSecurityRule: infrastructurev1beta1.IngressSecurityRule{
+								Description: common.String("Control Plane to Control Plane Kubelet Communication"),
+								Protocol:    common.String("6"),
+								TcpOptions: &infrastructurev1beta1.TcpOptions{
+									DestinationPortRange: &infrastructurev1beta1.PortRange{
+										Max: common.Int(10250),
+										Min: common.Int(10250),
+									},
+								},
+								SourceType: infrastructurev1beta1.IngressSecurityRuleSourceTypeCidrBlock,
+								Source:     common.String(ControlPlaneMachineSubnetDefaultCIDR),
+							},
+						},
 					},
 				},
 				{
@@ -728,6 +742,20 @@ func TestClusterScope_NSGSpec(t *testing.T) {
 								},
 							},
 						},
+						{
+							IngressSecurityRule: infrastructurev1beta1.IngressSecurityRule{
+								Description: common.String("Control Plane to Control Plane Kubelet Communication"),
+								Protocol:    common.String("6"),
+								TcpOptions: &infrastructurev1beta1.TcpOptions{
+									DestinationPortRange: &infrastructurev1beta1.PortRange{
+										Max: common.Int(10250),
+										Min: common.Int(10250),
+									},
+								},
+								SourceType: infrastructurev1beta1.IngressSecurityRuleSourceTypeCidrBlock,
+								Source:     common.String(ControlPlaneMachineSubnetDefaultCIDR),
+							},
+						},
 					},
 				},
 			},
diff --git a/docs/src/networking/antrea.md b/docs/src/networking/antrea.md
@@ -35,6 +35,7 @@ The OCI Compute instances running the Kubernetes Control plane components will b
 | CIDR Block       | 10.0.0.8/29       | 6443              |  TCP                 | Kubernetes API endpoint to Kubernetes Control plane communication     |
 | CIDR Block       | 10.0.0.0/29       | 6443              |  TCP                 | Control plane to Control plane (API Server port) communication        |
 | CIDR Block       | 10.0.64.0/20      | 6443              |  TCP                 | Worker Node to Kubernetes Control plane (API Server port)communication|
+| CIDR block       | 10.0.0.0/29       | 10250             |  TCP                 | Control Plane to Control Plane Kubelet Communication                  |
 | CIDR Block       | 10.0.0.0/29       | 2379              |  TCP                 | etcd client communication                                             |
 | CIDR Block       | 10.0.0.0/29       | 2380              |  TCP                 | etcd peer communication                                               |
 | CIDR Block       | 10.0.0.0/29       | 10349             |  TCP                 | Antrea Service                                                        |
diff --git a/docs/src/networking/calico.md b/docs/src/networking/calico.md
@@ -31,10 +31,11 @@ The OCI compute instances running the Kubernetes control plane components will b
 #### Ingress Rules
 
 | Source Type      | Source            |  Destination Port | Protocol             | Description                                                           |
-| ---------------- | ----------------- | ----------------- | -------------------- | --------------------------------------------------------------------- |
+| ---------------- | ----------------- | ----------------- | -------------------- |-----------------------------------------------------------------------|
 | CIDR block       | 10.0.0.8/29       | 6443              |  TCP                 | Kubernetes API endpoint to Kubernetes control plane communication     |
 | CIDR block       | 10.0.0.0/29       | 6443              |  TCP                 | Control plane to control plane (API server port) communication        |
 | CIDR block       | 10.0.64.0/20      | 6443              |  TCP                 | Worker Node to Kubernetes control plane (API Server) communication    |
+| CIDR block       | 10.0.0.0/29       | 10250             |  TCP                 | Control Plane to Control Plane Kubelet Communication                  |
 | CIDR block       | 10.0.0.0/29       | 2379              |  TCP                 | etcd client communication                                             |
 | CIDR block       | 10.0.0.0/29       | 2380              |  TCP                 | etcd peer communication                                               |
 | CIDR block       | 10.0.0.0/29       | 179               |  TCP                 | Calico networking (BGP)                                               |
diff --git a/templates/cluster-template-antrea.yaml b/templates/cluster-template-antrea.yaml
@@ -156,6 +156,16 @@ spec:
                   destinationPortRange:
                     max: 22
                     min: 22
+            - ingressRule:
+                description: Control Plane to Control Plane Kubelet Communication
+                isStateless: false
+                protocol: "6"
+                source: 10.0.0.0/29
+                sourceType: CIDR_BLOCK
+                tcpOptions:
+                  destinationPortRange:
+                    max: 10250
+                    min: 10250
           name: control-plane
           role: control-plane
         - egressRules:
@@ -290,7 +300,7 @@ spec:
         memoryInGBs: "${OCI_SHAPE_MEMORY_IN_GBS}"
       metadata:
         ssh_authorized_keys: "${OCI_SSH_KEY}"
-      IsPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
+      isPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: OCIMachineTemplate
@@ -307,7 +317,7 @@ spec:
         memoryInGBs: "${OCI_SHAPE_MEMORY_IN_GBS}"
       metadata:
         ssh_authorized_keys: "${OCI_SSH_KEY}"
-      IsPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
+      isPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4
 kind: KubeadmConfigTemplate
diff --git a/templates/cluster-template-failure-domain-spread.yaml b/templates/cluster-template-failure-domain-spread.yaml
@@ -86,7 +86,7 @@ spec:
         memoryInGBs: "${OCI_SHAPE_MEMORY_IN_GBS}"
       metadata:
         ssh_authorized_keys: "${OCI_SSH_KEY}"
-      IsPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
+      isPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: OCIMachineTemplate
@@ -103,7 +103,7 @@ spec:
         memoryInGBs: "${OCI_SHAPE_MEMORY_IN_GBS}"
       metadata:
         ssh_authorized_keys: "${OCI_SSH_KEY}"
-      IsPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
+      isPvEncryptionInTransitEnabled: ${OCI_PV_TRANSIT_ENCRYPTION=true}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4
 kind: KubeadmConfigTemplate
diff --git a/templates/cluster-template-oci-addons.yaml b/templates/cluster-template-oci-addons.yaml
diff --git a/templates/cluster-template-oraclelinux.yaml b/templates/cluster-template-oraclelinux.yaml
