Disallow passing a vpc.securityGroup with external SG rules for unowned clusters

Author: cPu1

pkg/actions/nodegroup/create.go

@@ -4,12 +4,19 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 
 	"github.com/kris-nova/logger"
 	"github.com/pkg/errors"
 
 	defaultaddons "github.com/weaveworks/eksctl/pkg/addons/default"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	"github.com/weaveworks/eksctl/pkg/awsapi"
+	"github.com/weaveworks/eksctl/pkg/cfn/builder"
 	"github.com/weaveworks/eksctl/pkg/cfn/manager"
 	"github.com/weaveworks/eksctl/pkg/ctl/cmdutils"
 	"github.com/weaveworks/eksctl/pkg/ctl/cmdutils/filter"
@@ -311,11 +318,58 @@ func loadVPCFromConfig(ctx context.Context, provider api.ClusterProvider, cfg *a
 	if err := vpc.ImportSubnetsFromSpec(ctx, provider, cfg); err != nil {
 		return err
 	}
-
 	if err := cfg.HasSufficientSubnets(); err != nil {
 		logger.Critical("unable to use given %s", cfg.SubnetInfo())
 		return err
 	}
+	if err := cfg.CanUseForPrivateNodeGroups(); err != nil {
+		return err
+	}
+	return validateSecurityGroup(ctx, provider.EC2(), cfg.VPC.SecurityGroup)
+}
+
+func validateSecurityGroup(ctx context.Context, ec2API awsapi.EC2, securityGroupID string) error {
+	paginator := ec2.NewDescribeSecurityGroupRulesPaginator(ec2API, &ec2.DescribeSecurityGroupRulesInput{
+		Filters: []ec2types.Filter{
+			{
+				Name:   aws.String("group-id"),
+				Values: []string{securityGroupID},
+			},
+		},
+	})
+	var sgRules []ec2types.SecurityGroupRule
+	for paginator.HasMorePages() {
+		output, err := paginator.NextPage(ctx)
+		if err != nil {
+			return err
+		}
+		sgRules = append(sgRules, output.SecurityGroupRules...)
+	}
 
-	return cfg.CanUseForPrivateNodeGroups()
+	makeError := func(sgRuleID string) error {
+		return fmt.Errorf("vpc.securityGroup (%s) has egress rules that were not attached by eksctl; "+
+			"vpc.securityGroup should not contain any external egress rules on a cluster not created by eksctl (rule ID: %s)", securityGroupID, sgRuleID)
+	}
+
+	for _, sgRule := range sgRules {
+		if !aws.ToBool(sgRule.IsEgress) {
+			continue
+		}
+		if !strings.HasPrefix(aws.ToString(sgRule.Description), builder.ControlPlaneEgressRuleDescriptionPrefix) {
+			return makeError(aws.ToString(sgRule.SecurityGroupRuleId))
+		}
+		matched := false
+		for _, egressRule := range builder.ControlPlaneNodeGroupEgressRules {
+			if aws.ToString(sgRule.IpProtocol) == egressRule.IpProtocol &&
+				aws.ToInt32(sgRule.FromPort) == int32(egressRule.FromPort) &&
+				aws.ToInt32(sgRule.ToPort) == int32(egressRule.ToPort) {
+				matched = true
+				break
+			}
+		}
+		if !matched {
+			return makeError(aws.ToString(sgRule.SecurityGroupRuleId))
+		}
+	}
+	return nil
 }

pkg/actions/nodegroup/create_test.go

@@ -144,6 +144,33 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		expectedErr: errors.Wrapf(errors.New("VPC configuration required for creating nodegroups on clusters not owned by eksctl: vpc.subnets, vpc.id, vpc.securityGroup"), "loading VPC spec for cluster %q", "my-cluster"),
 	}),
 
+	Entry("when cluster is unowned and vpc.securityGroup contains external egress rules, it fails validation", ngEntry{
+		updateClusterConfig: makeUnownedClusterConfig,
+		mockCalls: func(k *fakes.FakeKubeProvider, f *utilFakes.FakeNodegroupFilter, p *mockprovider.MockProvider, _ *fake.Clientset) {
+			mockProviderForUnownedCluster(p, k, ec2types.SecurityGroupRule{
+				Description:         aws.String("Allow control plane to communicate with a custom nodegroup on a custom port"),
+				FromPort:            aws.Int32(8443),
+				ToPort:              aws.Int32(8443),
+				GroupId:             aws.String("sg-custom"),
+				IpProtocol:          aws.String("https"),
+				IsEgress:            aws.Bool(true),
+				SecurityGroupRuleId: aws.String("sgr-5"),
+			})
+
+		},
+		expectedErr: fmt.Errorf("loading VPC spec for cluster %q: vpc.securityGroup (sg-custom) has egress rules that were not attached by eksctl; vpc.securityGroup should not contain any external egress rules on a cluster not created by eksctl (rule ID: sgr-5)", "my-cluster"),
+	}),
+
+	Entry("when cluster is unowned and vpc.securityGroup contains no external egress rules, it passes validation but fails if DescribeImages fails", ngEntry{
+		updateClusterConfig: makeUnownedClusterConfig,
+		mockCalls: func(k *fakes.FakeKubeProvider, f *utilFakes.FakeNodegroupFilter, p *mockprovider.MockProvider, _ *fake.Clientset) {
+			mockProviderForUnownedCluster(p, k)
+			p.MockEC2().On("DescribeImages", mock.Anything, mock.Anything).Return(nil, errors.New("DescribeImages error"))
+
+		},
+		expectedErr: errors.New("DescribeImages error"),
+	}),
+
 	Entry("fails when cluster is not compatible with ng config", ngEntry{
 		mockCalls: func(k *fakes.FakeKubeProvider, f *utilFakes.FakeNodegroupFilter, p *mockprovider.MockProvider, _ *fake.Clientset) {
 			// no shared security group will trigger a compatibility check failure later in the call chain.
@@ -587,3 +614,122 @@ func mockProviderWithConfig(p *mockprovider.MockProvider, describeStacksOutput [
 			},
 		}, nil)
 }
+
+func mockProviderForUnownedCluster(p *mockprovider.MockProvider, k *fakes.FakeKubeProvider, extraSGRules ...ec2types.SecurityGroupRule) {
+	k.NewRawClientReturns(&kubernetes.RawClient{}, nil)
+	k.ServerVersionReturns("1.27", nil)
+	p.MockCloudFormation().On("ListStacks", mock.Anything, mock.Anything).Return(&cloudformation.ListStacksOutput{
+		StackSummaries: []cftypes.StackSummary{
+			{
+				StackName:   aws.String("eksctl-my-cluster-cluster"),
+				StackStatus: "CREATE_COMPLETE",
+			},
+		},
+	}, nil)
+	p.MockCloudFormation().On("DescribeStacks", mock.Anything, mock.Anything).Return(&cloudformation.DescribeStacksOutput{
+		Stacks: []cftypes.Stack{
+			{
+				StackName:   aws.String("eksctl-my-cluster-cluster"),
+				StackStatus: "CREATE_COMPLETE",
+			},
+		},
+	}, nil)
+
+	vpcID := aws.String("vpc-custom")
+	p.MockEC2().On("DescribeVpcs", mock.Anything, mock.Anything).Return(&ec2.DescribeVpcsOutput{
+		Vpcs: []ec2types.Vpc{
+			{
+				CidrBlock: aws.String("192.168.0.0/19"),
+				VpcId:     vpcID,
+				CidrBlockAssociationSet: []ec2types.VpcCidrBlockAssociation{
+					{
+						CidrBlock: aws.String("192.168.0.0/19"),
+					},
+				},
+			},
+		},
+	}, nil)
+	p.MockEC2().On("DescribeSubnets", mock.Anything, mock.Anything).Return(&ec2.DescribeSubnetsOutput{
+		Subnets: []ec2types.Subnet{
+			{
+				SubnetId:         aws.String("subnet-custom1"),
+				CidrBlock:        aws.String("192.168.160.0/19"),
+				AvailabilityZone: aws.String("us-west-2a"),
+				VpcId:            vpcID,
+			},
+			{
+				SubnetId:         aws.String("subnet-custom2"),
+				CidrBlock:        aws.String("192.168.96.0/19"),
+				AvailabilityZone: aws.String("us-west-2b"),
+				VpcId:            vpcID,
+			},
+		},
+	}, nil)
+
+	sgID := aws.String("sg-custom")
+	p.MockEC2().On("DescribeSecurityGroupRules", mock.Anything, mock.MatchedBy(func(input *ec2.DescribeSecurityGroupRulesInput) bool {
+		if len(input.Filters) != 1 {
+			return false
+		}
+		filter := input.Filters[0]
+		return *filter.Name == "group-id" && len(filter.Values) == 1 && filter.Values[0] == *sgID
+	})).Return(&ec2.DescribeSecurityGroupRulesOutput{
+		SecurityGroupRules: append([]ec2types.SecurityGroupRule{
+			{
+				Description:         aws.String("Allow control plane to communicate with worker nodes in group ng-1 (kubelet and workload TCP ports"),
+				FromPort:            aws.Int32(1025),
+				ToPort:              aws.Int32(65535),
+				GroupId:             sgID,
+				IpProtocol:          aws.String("tcp"),
+				IsEgress:            aws.Bool(true),
+				SecurityGroupRuleId: aws.String("sgr-1"),
+			},
+			{
+				Description:         aws.String("Allow control plane to communicate with worker nodes in group ng-1 (workload using HTTPS port, commonly used with extension API servers"),
+				FromPort:            aws.Int32(443),
+				ToPort:              aws.Int32(443),
+				GroupId:             sgID,
+				IpProtocol:          aws.String("tcp"),
+				IsEgress:            aws.Bool(true),
+				SecurityGroupRuleId: aws.String("sgr-2"),
+			},
+			{
+				Description:         aws.String("Allow control plane to receive API requests from worker nodes in group ng-1"),
+				FromPort:            aws.Int32(443),
+				ToPort:              aws.Int32(443),
+				GroupId:             sgID,
+				IpProtocol:          aws.String("tcp"),
+				IsEgress:            aws.Bool(false),
+				SecurityGroupRuleId: aws.String("sgr-3"),
+			},
+			{
+				Description:         aws.String("Allow control plane to communicate with worker nodes in group ng-2 (workload using HTTPS port, commonly used with extension API servers"),
+				FromPort:            aws.Int32(443),
+				ToPort:              aws.Int32(443),
+				GroupId:             sgID,
+				IpProtocol:          aws.String("tcp"),
+				IsEgress:            aws.Bool(true),
+				SecurityGroupRuleId: aws.String("sgr-4"),
+			},
+		}, extraSGRules...),
+	}, nil)
+}
+
+func makeUnownedClusterConfig(clusterConfig *api.ClusterConfig) {
+	clusterConfig.VPC = &api.ClusterVPC{
+		SecurityGroup: "sg-custom",
+		Network: api.Network{
+			ID: "vpc-custom",
+		},
+		Subnets: &api.ClusterSubnets{
+			Private: api.AZSubnetMapping{
+				"us-west-2a": api.AZSubnetSpec{
+					ID: "subnet-custom1",
+				},
+				"us-west-2b": api.AZSubnetSpec{
+					ID: "subnet-custom2",
+				},
+			},
+		},
+	}
+}

pkg/cfn/builder/nodegroup.go

@@ -132,6 +132,34 @@ func (n *NodeGroupResourceSet) AddAllResources(ctx context.Context) error {
 	return n.addResourcesForNodeGroup(ctx)
 }
 
+// A PartialEgressRule represents a partial security group egress rule.
+type PartialEgressRule struct {
+	FromPort   int
+	ToPort     int
+	IpProtocol string
+}
+
+var controlPlaneEgressInterCluster = PartialEgressRule{
+	FromPort:   1025,
+	ToPort:     65535,
+	IpProtocol: "tcp",
+}
+
+var controlPlaneEgressInterClusterAPI = PartialEgressRule{
+	FromPort:   443,
+	ToPort:     443,
+	IpProtocol: "tcp",
+}
+
+// ControlPlaneNodeGroupEgressRules is a slice of egress rules attached to the control plane security group.
+var ControlPlaneNodeGroupEgressRules = []PartialEgressRule{
+	controlPlaneEgressInterCluster,
+	controlPlaneEgressInterClusterAPI,
+}
+
+// ControlPlaneEgressRuleDescriptionPrefix is the prefix applied to the description for control plane security group egress rules.
+var ControlPlaneEgressRuleDescriptionPrefix = "Allow control plane to communicate with "
+
 func (n *NodeGroupResourceSet) addResourcesForSecurityGroups() {
 	for _, id := range n.spec.SecurityGroups.AttachIDs {
 		n.securityGroups = append(n.securityGroups, gfnt.NewString(id))
@@ -169,18 +197,18 @@ func (n *NodeGroupResourceSet) addResourcesForSecurityGroups() {
 	n.newResource("EgressInterCluster", &gfnec2.SecurityGroupEgress{
 		GroupId:                    refControlPlaneSG,
 		DestinationSecurityGroupId: refNodeGroupLocalSG,
-		Description:                gfnt.NewString("Allow control plane to communicate with " + desc + " (kubelet and workload TCP ports)"),
-		IpProtocol:                 sgProtoTCP,
-		FromPort:                   sgMinNodePort,
-		ToPort:                     sgMaxNodePort,
+		Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (kubelet and workload TCP ports)"),
+		IpProtocol:                 gfnt.NewString(controlPlaneEgressInterCluster.IpProtocol),
+		FromPort:                   gfnt.NewInteger(controlPlaneEgressInterCluster.FromPort),
+		ToPort:                     gfnt.NewInteger(controlPlaneEgressInterCluster.ToPort),
 	})
 	n.newResource("EgressInterClusterAPI", &gfnec2.SecurityGroupEgress{
 		GroupId:                    refControlPlaneSG,
 		DestinationSecurityGroupId: refNodeGroupLocalSG,
-		Description:                gfnt.NewString("Allow control plane to communicate with " + desc + " (workloads using HTTPS port, commonly used with extension API servers)"),
-		IpProtocol:                 sgProtoTCP,
-		FromPort:                   sgPortHTTPS,
-		ToPort:                     sgPortHTTPS,
+		Description:                gfnt.NewString(ControlPlaneEgressRuleDescriptionPrefix + desc + " (workloads using HTTPS port, commonly used with extension API servers)"),
+		IpProtocol:                 gfnt.NewString(controlPlaneEgressInterClusterAPI.IpProtocol),
+		FromPort:                   gfnt.NewInteger(controlPlaneEgressInterClusterAPI.FromPort),
+		ToPort:                     gfnt.NewInteger(controlPlaneEgressInterClusterAPI.ToPort),
 	})
 	n.newResource("IngressInterClusterCP", &gfnec2.SecurityGroupIngress{
 		GroupId:               refControlPlaneSG,
@@ -197,16 +225,16 @@ func makeNodeIngressRules(ng *api.NodeGroupBase, controlPlaneSG *gfnt.Value, vpc
 		{
 			SourceSecurityGroupId: controlPlaneSG,
 			Description:           gfnt.NewString(fmt.Sprintf("[IngressInterCluster] Allow %s to communicate with control plane (kubelet and workload TCP ports)", description)),
-			IpProtocol:            sgProtoTCP,
-			FromPort:              sgMinNodePort,
-			ToPort:                sgMaxNodePort,
+			IpProtocol:            gfnt.NewString(controlPlaneEgressInterCluster.IpProtocol),
+			FromPort:              gfnt.NewInteger(controlPlaneEgressInterCluster.FromPort),
+			ToPort:                gfnt.NewInteger(controlPlaneEgressInterCluster.ToPort),
 		},
 		{
 			SourceSecurityGroupId: controlPlaneSG,
 			Description:           gfnt.NewString(fmt.Sprintf("[IngressInterClusterAPI] Allow %s to communicate with control plane (workloads using HTTPS port, commonly used with extension API servers)", description)),
-			IpProtocol:            sgProtoTCP,
-			FromPort:              sgPortHTTPS,
-			ToPort:                sgPortHTTPS,
+			IpProtocol:            gfnt.NewString(controlPlaneEgressInterClusterAPI.IpProtocol),
+			FromPort:              gfnt.NewInteger(controlPlaneEgressInterClusterAPI.FromPort),
+			ToPort:                gfnt.NewInteger(controlPlaneEgressInterClusterAPI.ToPort),
 		},
 	}
 

pkg/cfn/builder/vpc_ipv4.go

@@ -335,7 +335,6 @@ var (
 	sgSourceAnywhereIPv6 = gfnt.NewString("::/0")
 
 	sgPortZero    = gfnt.NewInteger(0)
-	sgMinNodePort = gfnt.NewInteger(1025)
 	sgMaxNodePort = gfnt.NewInteger(65535)
 
 	sgPortHTTPS = gfnt.NewInteger(443)