Skip to content

Commit 9c98fa7

Browse files
AshwinHIBMAshwinHIBM
committed
PowerVS: Fragment security groups
Create security groups for PowerVS
1 parent 5b7289b commit 9c98fa7

File tree

2 files changed

+184
-3
lines changed

2 files changed

+184
-3
lines changed

pkg/asset/manifests/powervs/cluster.go

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,13 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
134134
return nil, fmt.Errorf("generateClusterAssets could not handle vpc")
135135
}
136136
}
137-
137+
vpcSecurityGroups := getVPCSecurityGroups(clusterID.InfraID)
138+
loadBalancerSecurityGroups := []capibm.VPCResource{
139+
{
140+
Name: ptr.To(fmt.Sprintf("%s-%s", clusterID.InfraID, kubeAPILBSGNameSuffix)),
141+
},
142+
}
143+
logrus.Debugf("Load balancer security group name is %v ", loadBalancerSecurityGroups[0].Name)
138144
// The Transit Gateway can be either:
139145
// 1) blank - CAPI will create one for us.
140146
// 2) an id of an existing TG.
@@ -192,8 +198,9 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
192198
ResourceGroup: &capibm.IBMPowerVSResourceReference{
193199
Name: &installConfig.Config.Platform.PowerVS.PowerVSResourceGroup,
194200
},
195-
VPC: vpcResourceRef,
196-
TransitGateway: transitGateway,
201+
VPC: vpcResourceRef,
202+
VPCSecurityGroups: vpcSecurityGroups,
203+
TransitGateway: transitGateway,
197204
LoadBalancers: []capibm.VPCLoadBalancerSpec{
198205
{
199206
Name: fmt.Sprintf("%s-loadbalancer", clusterID.InfraID),
@@ -207,6 +214,7 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
207214
// Port: 6443,
208215
// },
209216
},
217+
SecurityGroups: loadBalancerSecurityGroups,
210218
},
211219
{
212220
Name: fmt.Sprintf("%s-loadbalancer-int", clusterID.InfraID),

pkg/asset/manifests/powervs/securitygroups.go

Lines changed: 173 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,173 @@
1+
package powervs
2+
3+
import (
4+
"fmt"
5+
6+
"k8s.io/utils/ptr"
7+
capibmcloud "sigs.k8s.io/cluster-api-provider-ibmcloud/api/v1beta2"
8+
)
9+
10+
const (
11+
controlPlaneSGNameSuffix = "sg-control-plane"
12+
clusterWideSGNameSuffix = "sg-cluster-wide"
13+
kubeAPILBSGNameSuffix = "sg-kube-api-lb"
14+
)
15+
16+
func buildControlPlaneSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
17+
kubeAPILBSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, controlPlaneSGNameSuffix))
18+
return capibmcloud.VPCSecurityGroup{
19+
Name: kubeAPILBSGNamePtr,
20+
Rules: []*capibmcloud.VPCSecurityGroupRule{
21+
{
22+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
23+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
24+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
25+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
26+
MaximumPort: 10258,
27+
MinimumPort: 10258,
28+
},
29+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
30+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
31+
{
32+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
33+
},
34+
},
35+
},
36+
},
37+
{
38+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
39+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
40+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
41+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
42+
MaximumPort: 22623,
43+
MinimumPort: 22623,
44+
},
45+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
46+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
47+
{
48+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
49+
},
50+
},
51+
},
52+
},
53+
{
54+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
55+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
56+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
57+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
58+
MaximumPort: 443,
59+
MinimumPort: 443,
60+
},
61+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
62+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
63+
{
64+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
65+
},
66+
},
67+
},
68+
},
69+
},
70+
}
71+
}
72+
73+
func buildKubeAPILBSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
74+
kubeAPILBSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, kubeAPILBSGNameSuffix))
75+
return capibmcloud.VPCSecurityGroup{
76+
Name: kubeAPILBSGNamePtr,
77+
Rules: []*capibmcloud.VPCSecurityGroupRule{
78+
{
79+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
80+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
81+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
82+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
83+
MaximumPort: 6443,
84+
MinimumPort: 6443,
85+
},
86+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
87+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
88+
{
89+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
90+
},
91+
},
92+
},
93+
},
94+
},
95+
}
96+
}
97+
98+
func buildClusterWideSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
99+
kubeAPILBSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, clusterWideSGNameSuffix))
100+
return capibmcloud.VPCSecurityGroup{
101+
Name: kubeAPILBSGNamePtr,
102+
Rules: []*capibmcloud.VPCSecurityGroupRule{
103+
{
104+
// SSH inbound
105+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
106+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
107+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
108+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
109+
MaximumPort: 22,
110+
MinimumPort: 22,
111+
},
112+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
113+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
114+
{
115+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
116+
},
117+
},
118+
},
119+
},
120+
{
121+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
122+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
123+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
124+
PortRange: &capibmcloud.VPCSecurityGroupPortRange{
125+
MaximumPort: 5000,
126+
MinimumPort: 5000,
127+
},
128+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
129+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
130+
{
131+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
132+
},
133+
},
134+
},
135+
},
136+
{
137+
// ping
138+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
139+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
140+
Source: &capibmcloud.VPCSecurityGroupRulePrototype{
141+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolIcmp,
142+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
143+
{
144+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
145+
},
146+
},
147+
},
148+
},
149+
{
150+
// Outbound for cluster-wide
151+
Action: capibmcloud.VPCSecurityGroupRuleActionAllow,
152+
Destination: &capibmcloud.VPCSecurityGroupRulePrototype{
153+
Protocol: capibmcloud.VPCSecurityGroupRuleProtocolAll,
154+
Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
155+
{
156+
RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
157+
},
158+
},
159+
},
160+
Direction: capibmcloud.VPCSecurityGroupRuleDirectionOutbound,
161+
},
162+
},
163+
}
164+
}
165+
166+
func getVPCSecurityGroups(infraID string) []capibmcloud.VPCSecurityGroup {
167+
// IBM Power VS will rely on 3 SecurityGroups to manage traffic.
168+
securityGroups := make([]capibmcloud.VPCSecurityGroup, 0, 3)
169+
securityGroups = append(securityGroups, buildClusterWideSecurityGroup(infraID))
170+
securityGroups = append(securityGroups, buildControlPlaneSecurityGroup(infraID))
171+
securityGroups = append(securityGroups, buildKubeAPILBSecurityGroup(infraID))
172+
return securityGroups
173+
}

0 commit comments

Comments
 (0)