From 113e7d6df8da05ea243aa026714a0ede0c6eaaa9 Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Wed, 7 Feb 2024 18:06:01 +0100 Subject: [PATCH 1/6] restric IMDS access in Azure --- .../actions/createworker/createworker.go | 104 ++++++++---------- .../files/aws/allow-egress-imds_gnetpol.yaml | 3 +- .../aws/deny-all-egress-imds_gnetpol.yaml | 7 +- .../azure/allow-egress-imds_gnetpol.yaml | 20 ++++ .../azure/deny-all-egress-imds_gnetpol.yaml | 23 ++++ .../files/gcp/allow-egress-imds_gnetpol.yaml | 3 +- .../gcp/deny-all-egress-imds_gnetpol.yaml | 5 +- .../create/actions/createworker/provider.go | 2 + 8 files changed, 105 insertions(+), 62 deletions(-) create mode 100644 pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml create mode 100644 pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml diff --git a/pkg/cluster/internal/create/actions/createworker/createworker.go b/pkg/cluster/internal/create/actions/createworker/createworker.go index c3bd9d4d05..da4fadda85 100644 --- a/pkg/cluster/internal/create/actions/createworker/createworker.go +++ b/pkg/cluster/internal/create/actions/createworker/createworker.go @@ -536,66 +536,57 @@ func (a *action) Execute(ctx *actions.ActionContext) error { ctx.Status.End(true) // End Installing CAPx in workload cluster // Use Calico as network policy engine in managed systems - if provider.capxProvider != "azure" && !isMachinePool { - ctx.Status.Start("Configuring Network Policy Engine in workload cluster 🚧") - defer ctx.Status.End(false) - - // Use Calico as network policy engine in managed systems - if a.keosCluster.Spec.ControlPlane.Managed { - - err = installCalico(n, kubeconfigPath, privateParams, allowCommonEgressNetPolPath) - if err != nil { - return errors.Wrap(err, "failed to install Network Policy Engine in workload cluster") - } - } - - // Create the allow and deny (global) network policy file in the container - denyallEgressIMDSGNetPolPath := "/kind/deny-all-egress-imds_gnetpol.yaml" - allowCAPXEgressIMDSGNetPolPath := "/kind/allow-egress-imds_gnetpol.yaml" - - // Allow egress in kube-system Namespace - c = "kubectl --kubeconfig " + kubeconfigPath + " -n kube-system apply -f " + allowCommonEgressNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to apply kube-system egress NetworkPolicy") - } - denyEgressIMDSGNetPol, err := provider.getDenyAllEgressIMDSGNetPol() - if err != nil { - return err - } - - c = "echo \"" + denyEgressIMDSGNetPol + "\" > " + denyallEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to write the deny-all-traffic-to-aws-imds global network policy") - } - allowEgressIMDSGNetPol, err := provider.getAllowCAPXEgressIMDSGNetPol() - if err != nil { - return err - } - - c = "echo \"" + allowEgressIMDSGNetPol + "\" > " + allowCAPXEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to write the allow-traffic-to-aws-imds-capa global network policy") - } - - // Deny CAPA egress to AWS IMDS - c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + denyallEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to apply deny IMDS traffic GlobalNetworkPolicy") - } + ctx.Status.Start("Configuring Network Policy Engine in workload cluster 🚧") + defer ctx.Status.End(false) - // Allow CAPA egress to AWS IMDS - c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPXEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) + // Use Calico as network policy engine in managed systems + if awsEKSEnabled { + err = installCalico(n, kubeconfigPath, privateParams, allowCommonEgressNetPolPath) if err != nil { - return errors.Wrap(err, "failed to apply allow CAPX as egress GlobalNetworkPolicy") + return errors.Wrap(err, "failed to install Network Policy Engine in workload cluster") } - - ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster } + // Create the allow and deny (global) network policy file in the container + denyallEgressIMDSGNetPolPath := "/kind/deny-all-egress-imds_gnetpol.yaml" + allowCAPXEgressIMDSGNetPolPath := "/kind/allow-egress-imds_gnetpol.yaml" + // Allow egress in kube-system Namespace + c = "kubectl --kubeconfig " + kubeconfigPath + " -n kube-system apply -f " + allowCommonEgressNetPolPath + _, err = commons.ExecuteCommand(n, c) + if err != nil { + return errors.Wrap(err, "failed to apply kube-system egress NetworkPolicy") + } + denyEgressIMDSGNetPol, err := provider.getDenyAllEgressIMDSGNetPol() + if err != nil { + return err + } + c = "echo \"" + denyEgressIMDSGNetPol + "\" > " + denyallEgressIMDSGNetPolPath + _, err = commons.ExecuteCommand(n, c) + if err != nil { + return errors.Wrap(err, "failed to write the deny-all-traffic-to-aws-imds global network policy") + } + allowEgressIMDSGNetPol, err := provider.getAllowCAPXEgressIMDSGNetPol() + if err != nil { + return err + } + c = "echo \"" + allowEgressIMDSGNetPol + "\" > " + allowCAPXEgressIMDSGNetPolPath + _, err = commons.ExecuteCommand(n, c) + if err != nil { + return errors.Wrap(err, "failed to write the allow-traffic-to-aws-imds-capa global network policy") + } + // Deny CAPA egress to AWS IMDS + c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + denyallEgressIMDSGNetPolPath + _, err = commons.ExecuteCommand(n, c) + if err != nil { + return errors.Wrap(err, "failed to apply deny IMDS traffic GlobalNetworkPolicy") + } + // Allow CAPA egress to AWS IMDS + c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPXEgressIMDSGNetPolPath + _, err = commons.ExecuteCommand(n, c) + if err != nil { + return errors.Wrap(err, "failed to apply allow CAPX as egress GlobalNetworkPolicy") + } + ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster + } if a.keosCluster.Spec.DeployAutoscaler && !isMachinePool { ctx.Status.Start("Installing cluster-autoscaler in workload cluster 🗚") @@ -620,7 +611,6 @@ func (a *action) Execute(ctx *actions.ActionContext) error { } ctx.Status.End(true) - } ctx.Status.Start("Installing keos cluster operator in workload cluster 💻") defer ctx.Status.End(false) diff --git a/pkg/cluster/internal/create/actions/createworker/files/aws/allow-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/aws/allow-egress-imds_gnetpol.yaml index 43f9fbeaa1..f43001c406 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/aws/allow-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/aws/allow-egress-imds_gnetpol.yaml @@ -5,6 +5,7 @@ metadata: name: allow-traffic-to-aws-imds-capa spec: egress: + - action: Log - action: Allow destination: nets: @@ -14,4 +15,4 @@ spec: namespaceSelector: kubernetes.io/metadata.name in { 'kube-system', 'capa-system' } selector: app.kubernetes.io/name == 'aws-ebs-csi-driver' || cluster.x-k8s.io/provider == 'infrastructure-aws' || k8s-app == 'aws-cloud-controller-manager' types: - - Egress + - Egress \ No newline at end of file diff --git a/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml index 83a82f591b..1a4096d29c 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml @@ -2,13 +2,16 @@ apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: - name: deny-all-traffic-to-aws-imds + name: deny-all-traffic-to-gcp-imds spec: egress: + - action: Log - action: Deny destination: nets: - - 169.254.169.254/32 + - 169.254.169.254/32 + ports: + - 80 protocol: TCP order: 10 selector: all() diff --git a/pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml new file mode 100644 index 0000000000..6e8907b83b --- /dev/null +++ b/pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: crd.projectcalico.org/v1 +kind: GlobalNetworkPolicy +metadata: + name: allow-traffic-to-azure-imds-capz +spec: + egress: + - action: Log + - action: Allow + destination: + nets: + - 127.0.0.1/32 + ports: + - 2579 + protocol: TCP + order: 0 + namespaceSelector: kubernetes.io/metadata.name in { 'kube-system', 'capz-system' } + selector: component == 'cloud-controller-manager' || app in { 'csi-azuredisk-controller', 'csi-azurefile-controller' } || cluster.x-k8s.io/provider == 'infrastructure-azure' + types: + - Egress diff --git a/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml new file mode 100644 index 0000000000..8fc02b0da0 --- /dev/null +++ b/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml @@ -0,0 +1,23 @@ +# NMI intercepts all traffic and redirects it to 127.0.0.1:2579 +# target prot opt source destination +# DNAT tcp -- !localhost 169.254.169.254 tcp dpt:http to:127.0.0.1:2579 +# RETURN all -- anywhere anywhere +--- +apiVersion: crd.projectcalico.org/v1 +kind: GlobalNetworkPolicy +metadata: + name: deny-all-traffic-to-gcp-imds +spec: + egress: + - action: Log + - action: Deny + destination: + nets: + - 127.0.0.1/32 + ports: + - 2579 + protocol: TCP + order: 10 + selector: all() + types: + - Egress \ No newline at end of file diff --git a/pkg/cluster/internal/create/actions/createworker/files/gcp/allow-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/gcp/allow-egress-imds_gnetpol.yaml index 3d4d38283f..27aca927c2 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/gcp/allow-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/gcp/allow-egress-imds_gnetpol.yaml @@ -5,6 +5,7 @@ metadata: name: allow-traffic-to-gcp-imds-capg spec: egress: + - action: Log - action: Allow destination: nets: @@ -14,4 +15,4 @@ spec: namespaceSelector: kubernetes.io/metadata.name in { 'kube-system', 'capg-system' } selector: app == 'gcp-compute-persistent-disk-csi-driver' || cluster.x-k8s.io/provider == 'infrastructure-gcp' types: - - Egress + - Egress \ No newline at end of file diff --git a/pkg/cluster/internal/create/actions/createworker/files/gcp/deny-all-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/gcp/deny-all-egress-imds_gnetpol.yaml index 6d8ca7d6e8..11c9886e65 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/gcp/deny-all-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/gcp/deny-all-egress-imds_gnetpol.yaml @@ -5,10 +5,13 @@ metadata: name: deny-all-traffic-to-gcp-imds spec: egress: + - action: Log - action: Deny destination: nets: - - 169.254.169.254/32 + - 169.254.169.254/32 + ports: + - 80 protocol: TCP order: 10 selector: all() diff --git a/pkg/cluster/internal/create/actions/createworker/provider.go b/pkg/cluster/internal/create/actions/createworker/provider.go index 48d2e025b6..d356a2b8a7 100644 --- a/pkg/cluster/internal/create/actions/createworker/provider.go +++ b/pkg/cluster/internal/create/actions/createworker/provider.go @@ -246,6 +246,8 @@ func (p *Provider) getAllowCAPXEgressIMDSGNetPol() (string, error) { return "", err } + fmt.Println("\n"+fmt.Sprintln(allowEgressIMDSgnpContent)) + return string(allowEgressIMDSgnpContent), nil } From 1a96a599000cdb84dfcd5a00dde10447d5654bdf Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Wed, 7 Feb 2024 18:09:25 +0100 Subject: [PATCH 2/6] fix typos --- .../createworker/files/aws/deny-all-egress-imds_gnetpol.yaml | 2 +- pkg/cluster/internal/create/actions/createworker/provider.go | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml index 1a4096d29c..1e5df36c9d 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/aws/deny-all-egress-imds_gnetpol.yaml @@ -2,7 +2,7 @@ apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: - name: deny-all-traffic-to-gcp-imds + name: deny-all-traffic-to-aws-imds spec: egress: - action: Log diff --git a/pkg/cluster/internal/create/actions/createworker/provider.go b/pkg/cluster/internal/create/actions/createworker/provider.go index d356a2b8a7..48d2e025b6 100644 --- a/pkg/cluster/internal/create/actions/createworker/provider.go +++ b/pkg/cluster/internal/create/actions/createworker/provider.go @@ -246,8 +246,6 @@ func (p *Provider) getAllowCAPXEgressIMDSGNetPol() (string, error) { return "", err } - fmt.Println("\n"+fmt.Sprintln(allowEgressIMDSgnpContent)) - return string(allowEgressIMDSgnpContent), nil } From c5b5dca34b4ac9533542020fee17a32e7cf30d90 Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Fri, 9 Feb 2024 10:10:55 +0100 Subject: [PATCH 3/6] allow gnp template --- .../actions/createworker/createworker.go | 4 +-- .../azure/deny-all-egress-imds_gnetpol.yaml | 2 +- .../create/actions/createworker/provider.go | 36 +++++++++++++------ .../allow-egress-imds_gnetpol.yaml.tmpl} | 7 +++- 4 files changed, 35 insertions(+), 14 deletions(-) rename pkg/cluster/internal/create/actions/createworker/{files/azure/allow-egress-imds_gnetpol.yaml => templates/azure/allow-egress-imds_gnetpol.yaml.tmpl} (71%) diff --git a/pkg/cluster/internal/create/actions/createworker/createworker.go b/pkg/cluster/internal/create/actions/createworker/createworker.go index da4fadda85..47d7c758d7 100644 --- a/pkg/cluster/internal/create/actions/createworker/createworker.go +++ b/pkg/cluster/internal/create/actions/createworker/createworker.go @@ -586,7 +586,6 @@ func (a *action) Execute(ctx *actions.ActionContext) error { return errors.Wrap(err, "failed to apply allow CAPX as egress GlobalNetworkPolicy") } ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster - } if a.keosCluster.Spec.DeployAutoscaler && !isMachinePool { ctx.Status.Start("Installing cluster-autoscaler in workload cluster 🗚") @@ -611,6 +610,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error { } ctx.Status.End(true) + } ctx.Status.Start("Installing keos cluster operator in workload cluster 💻") defer ctx.Status.End(false) @@ -777,4 +777,4 @@ func (a *action) Execute(ctx *actions.ActionContext) error { ctx.Status.End(true) // End Generating KEOS descriptor return nil -} +} \ No newline at end of file diff --git a/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml index 8fc02b0da0..9c68e6672b 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/files/azure/deny-all-egress-imds_gnetpol.yaml @@ -6,7 +6,7 @@ apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: - name: deny-all-traffic-to-gcp-imds + name: deny-all-traffic-to-az-imds spec: egress: - action: Log diff --git a/pkg/cluster/internal/create/actions/createworker/provider.go b/pkg/cluster/internal/create/actions/createworker/provider.go index 48d2e025b6..eb138e7642 100644 --- a/pkg/cluster/internal/create/actions/createworker/provider.go +++ b/pkg/cluster/internal/create/actions/createworker/provider.go @@ -235,18 +235,34 @@ func (p *Provider) getDenyAllEgressIMDSGNetPol() (string, error) { } func (p *Provider) getAllowCAPXEgressIMDSGNetPol() (string, error) { - allowEgressIMDSGNetPolLocalPath := "files/" + p.capxProvider + "/allow-egress-imds_gnetpol.yaml" - allowEgressIMDSgnpFile, err := allowEgressIMDSgnpFiles.Open(allowEgressIMDSGNetPolLocalPath) - if err != nil { - return "", errors.Wrap(err, "error opening the allow egress IMDS file") - } - defer allowEgressIMDSgnpFile.Close() - allowEgressIMDSgnpContent, err := ioutil.ReadAll(allowEgressIMDSgnpFile) - if err != nil { - return "", err + var allowEgressIMDSgnpContent string + var err error + + if p.capxProvider == "azure" { + azureParams := struct { + Managed bool + }{ + Managed: p.capxManaged, + } + allowEgressIMDSgnpContent, err = getManifest("azure", "allow-egress-imds_gnetpol.yaml.tmpl", azureParams) + if err != nil { + return "", errors.Wrap(err, "error opening the allow egress IMDS file") + } + } else { + allowEgressIMDSGNetPolLocalPath := "files/" + p.capxProvider + "/allow-egress-imds_gnetpol.yaml" + allowEgressIMDSgnpFile, err := allowEgressIMDSgnpFiles.Open(allowEgressIMDSGNetPolLocalPath) + if err != nil { + return "", errors.Wrap(err, "error opening the allow egress IMDS file") + } + defer allowEgressIMDSgnpFile.Close() + allowEgressIMDSgnpContentBytes, err := ioutil.ReadAll(allowEgressIMDSgnpFile) + if err != nil { + return "", err + } + allowEgressIMDSgnpContent = string(allowEgressIMDSgnpContentBytes) } - return string(allowEgressIMDSgnpContent), nil + return allowEgressIMDSgnpContent, nil } func (p *Provider) deployCertManager(n nodes.Node, keosRegistryUrl string, kubeconfigPath string) error { diff --git a/pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml b/pkg/cluster/internal/create/actions/createworker/templates/azure/allow-egress-imds_gnetpol.yaml.tmpl similarity index 71% rename from pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml rename to pkg/cluster/internal/create/actions/createworker/templates/azure/allow-egress-imds_gnetpol.yaml.tmpl index 6e8907b83b..d894f3ccec 100644 --- a/pkg/cluster/internal/create/actions/createworker/files/azure/allow-egress-imds_gnetpol.yaml +++ b/pkg/cluster/internal/create/actions/createworker/templates/azure/allow-egress-imds_gnetpol.yaml.tmpl @@ -2,7 +2,7 @@ apiVersion: crd.projectcalico.org/v1 kind: GlobalNetworkPolicy metadata: - name: allow-traffic-to-azure-imds-capz + name: allow-traffic-to-az-imds-capz spec: egress: - action: Log @@ -14,7 +14,12 @@ spec: - 2579 protocol: TCP order: 0 +{{- if $.Managed }} + namespaceSelector: kubernetes.io/metadata.name == 'capz-system' + selector: cluster.x-k8s.io/provider == 'infrastructure-azure' +{{- else }} namespaceSelector: kubernetes.io/metadata.name in { 'kube-system', 'capz-system' } selector: component == 'cloud-controller-manager' || app in { 'csi-azuredisk-controller', 'csi-azurefile-controller' } || cluster.x-k8s.io/provider == 'infrastructure-azure' +{{- end }} types: - Egress From dcea08ab0a73e4d994503cc52144489630111158 Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Fri, 9 Feb 2024 10:13:19 +0100 Subject: [PATCH 4/6] indent issues --- .../internal/create/actions/createworker/provider.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/cluster/internal/create/actions/createworker/provider.go b/pkg/cluster/internal/create/actions/createworker/provider.go index eb138e7642..f69ed2d5b3 100644 --- a/pkg/cluster/internal/create/actions/createworker/provider.go +++ b/pkg/cluster/internal/create/actions/createworker/provider.go @@ -245,9 +245,9 @@ func (p *Provider) getAllowCAPXEgressIMDSGNetPol() (string, error) { Managed: p.capxManaged, } allowEgressIMDSgnpContent, err = getManifest("azure", "allow-egress-imds_gnetpol.yaml.tmpl", azureParams) - if err != nil { - return "", errors.Wrap(err, "error opening the allow egress IMDS file") - } + if err != nil { + return "", errors.Wrap(err, "error opening the allow egress IMDS file") + } } else { allowEgressIMDSGNetPolLocalPath := "files/" + p.capxProvider + "/allow-egress-imds_gnetpol.yaml" allowEgressIMDSgnpFile, err := allowEgressIMDSgnpFiles.Open(allowEgressIMDSGNetPolLocalPath) From 9b2612f97c08ca8c2a31fdfb78674aa945579090 Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Tue, 13 Feb 2024 12:06:50 +0100 Subject: [PATCH 5/6] CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72cf31180f..6971dc9e7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * [Azure] Bump cluster-api-provider-azure to v1.11.3: Add priority class to NMI * [Core] Add PDB and PriorityClass to capx components * [Core] Bump cluster api to v1.5.3 +* [Azure] Restric imds access ## 0.17.0-0.3.0 (2023-09-14) From 522d868cf89585da60ff67430fe99f33a6db74f2 Mon Sep 17 00:00:00 2001 From: esierra-stratio Date: Mon, 26 Feb 2024 14:25:18 +0100 Subject: [PATCH 6/6] fix package CI stage --- .../actions/createworker/createworker.go | 39 ------------------- .../create/actions/createworker/provider.go | 2 + 2 files changed, 2 insertions(+), 39 deletions(-) diff --git a/pkg/cluster/internal/create/actions/createworker/createworker.go b/pkg/cluster/internal/create/actions/createworker/createworker.go index 30d5b08ebb..70904dedfa 100644 --- a/pkg/cluster/internal/create/actions/createworker/createworker.go +++ b/pkg/cluster/internal/create/actions/createworker/createworker.go @@ -638,45 +638,6 @@ func (a *action) Execute(ctx *actions.ActionContext) error { c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPXEgressIMDSGNetPolPath _, err = commons.ExecuteCommand(n, c, 5) - // Create the allow and deny (global) network policy file in the container - denyallEgressIMDSGNetPolPath := "/kind/deny-all-egress-imds_gnetpol.yaml" - allowCAPXEgressIMDSGNetPolPath := "/kind/allow-egress-imds_gnetpol.yaml" - // Allow egress in kube-system Namespace - c = "kubectl --kubeconfig " + kubeconfigPath + " -n kube-system apply -f " + allowCommonEgressNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to apply kube-system egress NetworkPolicy") - } - denyEgressIMDSGNetPol, err := provider.getDenyAllEgressIMDSGNetPol() - if err != nil { - return err - } - c = "echo \"" + denyEgressIMDSGNetPol + "\" > " + denyallEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to write the deny-all-traffic-to-aws-imds global network policy") - } - allowEgressIMDSGNetPol, err := provider.getAllowCAPXEgressIMDSGNetPol() - if err != nil { - return err - } - c = "echo \"" + allowEgressIMDSGNetPol + "\" > " + allowCAPXEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to write the allow-traffic-to-aws-imds-capa global network policy") - } - // Deny CAPA egress to AWS IMDS - c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + denyallEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to apply deny IMDS traffic GlobalNetworkPolicy") - } - // Allow CAPA egress to AWS IMDS - c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPXEgressIMDSGNetPolPath - _, err = commons.ExecuteCommand(n, c) - if err != nil { - return errors.Wrap(err, "failed to apply allow CAPX as egress GlobalNetworkPolicy") - } ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster if a.keosCluster.Spec.DeployAutoscaler && !isMachinePool { diff --git a/pkg/cluster/internal/create/actions/createworker/provider.go b/pkg/cluster/internal/create/actions/createworker/provider.go index 2b1b80f36f..a444882525 100644 --- a/pkg/cluster/internal/create/actions/createworker/provider.go +++ b/pkg/cluster/internal/create/actions/createworker/provider.go @@ -23,6 +23,7 @@ import ( "encoding/json" "fmt" "io" + "io/ioutil" "path/filepath" "regexp" "strconv" @@ -266,6 +267,7 @@ func (p *Provider) getAllowCAPXEgressIMDSGNetPol() (string, error) { allowEgressIMDSgnpContent = string(allowEgressIMDSgnpContentBytes) } return allowEgressIMDSgnpContent, nil +} func getcapxPDB(commonsPDBLocalPath string) (string, error) { commonsPDBFile, err := commonsPDBFile.Open(commonsPDBLocalPath)