Skip adding egress rules if default egress rule is present

Author: cPu1

pkg/actions/nodegroup/create.go

@@ -59,7 +59,11 @@ func (m *Manager) Create(ctx context.Context, options CreateOpts, nodegroupFilte
 		return errors.New(msg)
 	}
 
-	isOwnedCluster := true
+	var (
+		isOwnedCluster  = true
+		skipEgressRules = false
+	)
+
 	clusterStack, err := m.stackManager.DescribeClusterStack(ctx)
 	if err != nil {
 		switch err.(type) {
@@ -72,6 +76,10 @@ func (m *Manager) Create(ctx context.Context, options CreateOpts, nodegroupFilte
 				return errors.Wrapf(err, "loading VPC spec for cluster %q", meta.Name)
 			}
 			isOwnedCluster = false
+			skipEgressRules, err = validateSecurityGroup(ctx, ctl.AWSProvider.EC2(), cfg.VPC.SecurityGroup)
+			if err != nil {
+				return err
+			}
 
 		default:
 			return fmt.Errorf("getting existing configuration for cluster %q: %w", meta.Name, err)
@@ -156,7 +164,7 @@ func (m *Manager) Create(ctx context.Context, options CreateOpts, nodegroupFilte
 		return cmdutils.PrintNodeGroupDryRunConfig(clusterConfigCopy, options.DryRunSettings.OutStream)
 	}
 
-	if err := m.nodeCreationTasks(ctx, isOwnedCluster); err != nil {
+	if err := m.nodeCreationTasks(ctx, isOwnedCluster, skipEgressRules); err != nil {
 		return err
 	}
 
@@ -188,7 +196,7 @@ func makeOutpostsService(clusterConfig *api.ClusterConfig, provider api.ClusterP
 	}
 }
 
-func (m *Manager) nodeCreationTasks(ctx context.Context, isOwnedCluster bool) error {
+func (m *Manager) nodeCreationTasks(ctx context.Context, isOwnedCluster, skipEgressRules bool) error {
 	cfg := m.cfg
 	meta := cfg.Metadata
 
@@ -242,7 +250,7 @@ func (m *Manager) nodeCreationTasks(ctx context.Context, isOwnedCluster bool) er
 	allNodeGroupTasks := &tasks.TaskTree{
 		Parallel: true,
 	}
-	nodeGroupTasks := m.stackManager.NewUnmanagedNodeGroupTask(ctx, cfg.NodeGroups, !awsNodeUsesIRSA, vpcImporter)
+	nodeGroupTasks := m.stackManager.NewUnmanagedNodeGroupTask(ctx, cfg.NodeGroups, !awsNodeUsesIRSA, skipEgressRules, vpcImporter)
 	if nodeGroupTasks.Len() > 0 {
 		allNodeGroupTasks.Append(nodeGroupTasks)
 	}
@@ -322,13 +330,10 @@ func loadVPCFromConfig(ctx context.Context, provider api.ClusterProvider, cfg *a
 		logger.Critical("unable to use given %s", cfg.SubnetInfo())
 		return err
 	}
-	if err := cfg.CanUseForPrivateNodeGroups(); err != nil {
-		return err
-	}
-	return validateSecurityGroup(ctx, provider.EC2(), cfg.VPC.SecurityGroup)
+	return cfg.CanUseForPrivateNodeGroups()
 }
 
-func validateSecurityGroup(ctx context.Context, ec2API awsapi.EC2, securityGroupID string) error {
+func validateSecurityGroup(ctx context.Context, ec2API awsapi.EC2, securityGroupID string) (hasDefaultEgressRule bool, err error) {
 	paginator := ec2.NewDescribeSecurityGroupRulesPaginator(ec2API, &ec2.DescribeSecurityGroupRulesInput{
 		Filters: []ec2types.Filter{
 			{
@@ -341,22 +346,30 @@ func validateSecurityGroup(ctx context.Context, ec2API awsapi.EC2, securityGroup
 	for paginator.HasMorePages() {
 		output, err := paginator.NextPage(ctx)
 		if err != nil {
-			return err
+			return false, err
 		}
 		sgRules = append(sgRules, output.SecurityGroupRules...)
 	}
 
 	makeError := func(sgRuleID string) error {
 		return fmt.Errorf("vpc.securityGroup (%s) has egress rules that were not attached by eksctl; "+
-			"vpc.securityGroup should not contain any external egress rules on a cluster not created by eksctl (rule ID: %s)", securityGroupID, sgRuleID)
+			"vpc.securityGroup should not contain any non-default external egress rules on a cluster not created by eksctl (rule ID: %s)", securityGroupID, sgRuleID)
+	}
+
+	isDefaultEgressRule := func(sgRule ec2types.SecurityGroupRule) bool {
+		return aws.ToString(sgRule.IpProtocol) == "-1" && aws.ToInt32(sgRule.FromPort) == -1 && aws.ToInt32(sgRule.ToPort) == -1 && aws.ToString(sgRule.CidrIpv4) == "0.0.0.0/0"
 	}
 
 	for _, sgRule := range sgRules {
 		if !aws.ToBool(sgRule.IsEgress) {
 			continue
 		}
+		if !hasDefaultEgressRule && isDefaultEgressRule(sgRule) {
+			hasDefaultEgressRule = true
+			continue
+		}
 		if !strings.HasPrefix(aws.ToString(sgRule.Description), builder.ControlPlaneEgressRuleDescriptionPrefix) {
-			return makeError(aws.ToString(sgRule.SecurityGroupRuleId))
+			return false, makeError(aws.ToString(sgRule.SecurityGroupRuleId))
 		}
 		matched := false
 		for _, egressRule := range builder.ControlPlaneNodeGroupEgressRules {
@@ -368,8 +381,8 @@ func validateSecurityGroup(ctx context.Context, ec2API awsapi.EC2, securityGroup
 			}
 		}
 		if !matched {
-			return makeError(aws.ToString(sgRule.SecurityGroupRuleId))
+			return false, makeError(aws.ToString(sgRule.SecurityGroupRuleId))
 		}
 	}
-	return nil
+	return hasDefaultEgressRule, nil
 }

pkg/actions/nodegroup/create_test.go

@@ -49,7 +49,7 @@ type stackManagerDelegate struct {
 	manager.StackManager
 }
 
-func (s *stackManagerDelegate) NewUnmanagedNodeGroupTask(context.Context, []*api.NodeGroup, bool, vpc.Importer) *tasks.TaskTree {
+func (s *stackManagerDelegate) NewUnmanagedNodeGroupTask(context.Context, []*api.NodeGroup, bool, bool, vpc.Importer) *tasks.TaskTree {
 	return &tasks.TaskTree{
 		Tasks: []tasks.Task{noopTask},
 	}
@@ -158,7 +158,26 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 			})
 
 		},
-		expectedErr: fmt.Errorf("loading VPC spec for cluster %q: vpc.securityGroup (sg-custom) has egress rules that were not attached by eksctl; vpc.securityGroup should not contain any external egress rules on a cluster not created by eksctl (rule ID: sgr-5)", "my-cluster"),
+		expectedErr: errors.New("vpc.securityGroup (sg-custom) has egress rules that were not attached by eksctl; vpc.securityGroup should not contain any non-default external egress rules on a cluster not created by eksctl (rule ID: sgr-5)"),
+	}),
+
+	Entry("when cluster is unowned and vpc.securityGroup contains a default egress rule, it passes validation but fails if DescribeImages fails", ngEntry{
+		updateClusterConfig: makeUnownedClusterConfig,
+		mockCalls: func(k *fakes.FakeKubeProvider, f *utilFakes.FakeNodegroupFilter, p *mockprovider.MockProvider, _ *fake.Clientset) {
+			mockProviderForUnownedCluster(p, k, ec2types.SecurityGroupRule{
+				Description:         aws.String(""),
+				CidrIpv4:            aws.String("0.0.0.0/0"),
+				FromPort:            aws.Int32(-1),
+				ToPort:              aws.Int32(-1),
+				GroupId:             aws.String("sg-custom"),
+				IpProtocol:          aws.String("-1"),
+				IsEgress:            aws.Bool(true),
+				SecurityGroupRuleId: aws.String("sgr-5"),
+			})
+			p.MockEC2().On("DescribeImages", mock.Anything, mock.Anything).Return(nil, errors.New("DescribeImages error"))
+
+		},
+		expectedErr: errors.New("DescribeImages error"),
 	}),
 
 	Entry("when cluster is unowned and vpc.securityGroup contains no external egress rules, it passes validation but fails if DescribeImages fails", ngEntry{

pkg/cfn/builder/nodegroup.go

@@ -35,6 +35,16 @@ const (
 	taintsPrefix       = nodeTemplatePrefix + "taint/"
 )
 
+// NodeGroupOptions represents options passed to a NodeGroupResourceSet.
+type NodeGroupOptions struct {
+	ClusterConfig     *api.ClusterConfig
+	NodeGroup         *api.NodeGroup
+	Bootstrapper      nodebootstrap.Bootstrapper
+	ForceAddCNIPolicy bool
+	VPCImporter       vpc.Importer
+	SkipEgressRules   bool
+}
+
 // NodeGroupResourceSet stores the resource information of the nodegroup
 type NodeGroupResourceSet struct {
 	rs                *resourceSet
@@ -49,19 +59,21 @@ type NodeGroupResourceSet struct {
 	vpc                *gfnt.Value
 	vpcImporter        vpc.Importer
 	bootstrapper       nodebootstrap.Bootstrapper
+	skipEgressRules    bool
 }
 
 // NewNodeGroupResourceSet returns a resource set for a nodegroup embedded in a cluster config
-func NewNodeGroupResourceSet(ec2API awsapi.EC2, iamAPI awsapi.IAM, spec *api.ClusterConfig, ng *api.NodeGroup, bootstrapper nodebootstrap.Bootstrapper, forceAddCNIPolicy bool, vpcImporter vpc.Importer) *NodeGroupResourceSet {
+func NewNodeGroupResourceSet(ec2API awsapi.EC2, iamAPI awsapi.IAM, options NodeGroupOptions) *NodeGroupResourceSet {
 	return &NodeGroupResourceSet{
 		rs:                newResourceSet(),
-		forceAddCNIPolicy: forceAddCNIPolicy,
-		clusterSpec:       spec,
-		spec:              ng,
+		forceAddCNIPolicy: options.ForceAddCNIPolicy,
+		clusterSpec:       options.ClusterConfig,
+		spec:              options.NodeGroup,
 		ec2API:            ec2API,
 		iamAPI:            iamAPI,
-		vpcImporter:       vpcImporter,
-		bootstrapper:      bootstrapper,
+		vpcImporter:       options.VPCImporter,
+		bootstrapper:      options.Bootstrapper,
+		skipEgressRules:   options.SkipEgressRules,
 	}
 }
 
@@ -194,22 +206,24 @@ func (n *NodeGroupResourceSet) addResourcesForSecurityGroups() {
 		n.securityGroups = append(n.securityGroups, efaSG)
 	}
 
-	n.newResource("EgressInterCluster", &gfnec2.SecurityGroupEgress{
-		GroupId:                    refControlPlaneSG,
-		DestinationSecurityGroupId: refNodeGroupLocalSG,
-		Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (kubelet and workload TCP ports)"),
-		IpProtocol:                 gfnt.NewString(controlPlaneEgressInterCluster.IPProtocol),
-		FromPort:                   gfnt.NewInteger(controlPlaneEgressInterCluster.FromPort),
-		ToPort:                     gfnt.NewInteger(controlPlaneEgressInterCluster.ToPort),
-	})
-	n.newResource("EgressInterClusterAPI", &gfnec2.SecurityGroupEgress{
-		GroupId:                    refControlPlaneSG,
-		DestinationSecurityGroupId: refNodeGroupLocalSG,
-		Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (workloads using HTTPS port, commonly used with extension API servers)"),
-		IpProtocol:                 gfnt.NewString(controlPlaneEgressInterClusterAPI.IPProtocol),
-		FromPort:                   gfnt.NewInteger(controlPlaneEgressInterClusterAPI.FromPort),
-		ToPort:                     gfnt.NewInteger(controlPlaneEgressInterClusterAPI.ToPort),
-	})
+	if !n.skipEgressRules {
+		n.newResource("EgressInterCluster", &gfnec2.SecurityGroupEgress{
+			GroupId:                    refControlPlaneSG,
+			DestinationSecurityGroupId: refNodeGroupLocalSG,
+			Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (kubelet and workload TCP ports)"),
+			IpProtocol:                 gfnt.NewString(controlPlaneEgressInterCluster.IPProtocol),
+			FromPort:                   gfnt.NewInteger(controlPlaneEgressInterCluster.FromPort),
+			ToPort:                     gfnt.NewInteger(controlPlaneEgressInterCluster.ToPort),
+		})
+		n.newResource("EgressInterClusterAPI", &gfnec2.SecurityGroupEgress{
+			GroupId:                    refControlPlaneSG,
+			DestinationSecurityGroupId: refNodeGroupLocalSG,
+			Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (workloads using HTTPS port, commonly used with extension API servers)"),
+			IpProtocol:                 gfnt.NewString(controlPlaneEgressInterClusterAPI.IPProtocol),
+			FromPort:                   gfnt.NewInteger(controlPlaneEgressInterClusterAPI.FromPort),
+			ToPort:                     gfnt.NewInteger(controlPlaneEgressInterClusterAPI.ToPort),
+		})
+	}
 	n.newResource("IngressInterClusterCP", &gfnec2.SecurityGroupIngress{
 		GroupId:               refControlPlaneSG,
 		SourceSecurityGroupId: refNodeGroupLocalSG,

pkg/cfn/builder/nodegroup_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
+
 	"github.com/weaveworks/eksctl/pkg/testutils/mockprovider"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -35,10 +36,12 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 		fakeVPCImporter   *vpcfakes.FakeImporter
 		fakeBootstrapper  *bootstrapfakes.FakeBootstrapper
 		p                 = mockprovider.NewMockProvider()
+		skipEgressRules   bool
 	)
 
 	BeforeEach(func() {
 		forceAddCNIPolicy = false
+		skipEgressRules = false
 		fakeVPCImporter = new(vpcfakes.FakeImporter)
 		fakeBootstrapper = new(bootstrapfakes.FakeBootstrapper)
 		cfg, ng = newClusterAndNodeGroup()
@@ -51,7 +54,14 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 	})
 
 	JustBeforeEach(func() {
-		ngrs = builder.NewNodeGroupResourceSet(p.MockEC2(), p.MockIAM(), cfg, ng, fakeBootstrapper, forceAddCNIPolicy, fakeVPCImporter)
+		ngrs = builder.NewNodeGroupResourceSet(p.MockEC2(), p.MockIAM(), builder.NodeGroupOptions{
+			ClusterConfig:     cfg,
+			NodeGroup:         ng,
+			Bootstrapper:      fakeBootstrapper,
+			ForceAddCNIPolicy: forceAddCNIPolicy,
+			VPCImporter:       fakeVPCImporter,
+			SkipEgressRules:   skipEgressRules,
+		})
 	})
 
 	Describe("AddAllResources", func() {
@@ -1312,6 +1322,24 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 					Expect(properties.LaunchTemplateData.Monitoring.Enabled).To(Equal(true))
 				})
 			})
+
+			Context("skipEgressRules is false", func() {
+				It("should add egress rules", func() {
+					Expect(ngTemplate.Resources).To(HaveKey("EgressInterCluster"))
+					Expect(ngTemplate.Resources).To(HaveKey("EgressInterClusterAPI"))
+				})
+			})
+
+			Context("skipEgressRules is true", func() {
+				BeforeEach(func() {
+					skipEgressRules = true
+				})
+
+				It("should not add egress rules", func() {
+					Expect(ngTemplate.Resources).NotTo(HaveKey("EgressInterCluster"))
+					Expect(ngTemplate.Resources).NotTo(HaveKey("EgressInterClusterAPI"))
+				})
+			})
 		})
 	})
 

pkg/cfn/manager/create_tasks.go

@@ -42,7 +42,7 @@ func (c *StackCollection) NewTasksToCreateClusterWithNodeGroups(ctx context.Cont
 			Parallel:  true,
 			IsSubTask: true,
 		}
-		if unmanagedNodeGroupTasks := c.NewUnmanagedNodeGroupTask(ctx, nodeGroups, false, vpcImporter); unmanagedNodeGroupTasks.Len() > 0 {
+		if unmanagedNodeGroupTasks := c.NewUnmanagedNodeGroupTask(ctx, nodeGroups, false, false, vpcImporter); unmanagedNodeGroupTasks.Len() > 0 {
 			unmanagedNodeGroupTasks.IsSubTask = true
 			nodeGroupTasks.Append(unmanagedNodeGroupTasks)
 		}
@@ -72,7 +72,7 @@ func (c *StackCollection) NewTasksToCreateClusterWithNodeGroups(ctx context.Cont
 }
 
 // NewUnmanagedNodeGroupTask defines tasks required to create all of the nodegroups
-func (c *StackCollection) NewUnmanagedNodeGroupTask(ctx context.Context, nodeGroups []*api.NodeGroup, forceAddCNIPolicy bool, vpcImporter vpc.Importer) *tasks.TaskTree {
+func (c *StackCollection) NewUnmanagedNodeGroupTask(ctx context.Context, nodeGroups []*api.NodeGroup, forceAddCNIPolicy, skipEgressRules bool, vpcImporter vpc.Importer) *tasks.TaskTree {
 	taskTree := &tasks.TaskTree{Parallel: true}
 
 	for _, ng := range nodeGroups {
@@ -83,6 +83,7 @@ func (c *StackCollection) NewUnmanagedNodeGroupTask(ctx context.Context, nodeGro
 			stackCollection:   c,
 			forceAddCNIPolicy: forceAddCNIPolicy,
 			vpcImporter:       vpcImporter,
+			skipEgressRules:   skipEgressRules,
 		})
 		// TODO: move authconfigmap tasks here using kubernetesTask and kubernetes.CallbackClientSet
 	}

pkg/cfn/manager/fakes/fake_stack_manager.go

@@ -91,7 +91,7 @@ type StackManager interface {
 	NewTasksToDeleteIAMServiceAccounts(ctx context.Context, serviceAccounts []string, clientSetGetter kubernetes.ClientSetGetter, wait bool) (*tasks.TaskTree, error)
 	NewTasksToDeleteNodeGroups(stacks []NodeGroupStack, shouldDelete func(_ string) bool, wait bool, cleanup func(chan error, string) error) (*tasks.TaskTree, error)
 	NewTasksToDeleteOIDCProviderWithIAMServiceAccounts(ctx context.Context, newOIDCManager NewOIDCManager, cluster *ekstypes.Cluster, clientSetGetter kubernetes.ClientSetGetter, force bool) (*tasks.TaskTree, error)
-	NewUnmanagedNodeGroupTask(ctx context.Context, nodeGroups []*v1alpha5.NodeGroup, forceAddCNIPolicy bool, importer vpc.Importer) *tasks.TaskTree
+	NewUnmanagedNodeGroupTask(ctx context.Context, nodeGroups []*v1alpha5.NodeGroup, forceAddCNIPolicy, skipEgressRules bool, importer vpc.Importer) *tasks.TaskTree
 	PropagateManagedNodeGroupTagsToASG(ngName string, ngTags map[string]string, asgNames []string, errCh chan error) error
 	RefreshFargatePodExecutionRoleARN(ctx context.Context) error
 	StackStatusIsNotTransitional(s *Stack) bool