Stratio · lreciomelero · Jul 11, 2023 · Jul 12, 2023 · Jul 12, 2023 · Jul 24, 2023
@@ -0,0 +1,104 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package actions
+
+import (
+	"sync"
+
+	"sigs.k8s.io/kind/pkg/cluster/nodes"
+	"sigs.k8s.io/kind/pkg/cluster/nodeutils"
+	"sigs.k8s.io/kind/pkg/internal/apis/config"
+	"sigs.k8s.io/kind/pkg/internal/cli"
+	"sigs.k8s.io/kind/pkg/log"
+
+	"sigs.k8s.io/kind/pkg/cluster/internal/providers"
+)
+
+// Action defines a step of bringing up a kind cluster after initial node
+// container creation
+type Action interface {
+	Execute(ctx *ActionContext) error
+}
+
+// ActionContext is data supplied to all actions
+type ActionContext struct {
+	Logger   log.Logger
+	Status   *cli.Status
+	Config   *config.Cluster
+	Provider providers.Provider
+	cache    *cachedData
+}
+
+// NewActionContext returns a new ActionContext
+func NewActionContext(
+	logger log.Logger,
+	status *cli.Status,
+	provider providers.Provider,
+	cfg *config.Cluster,
+) *ActionContext {
+	return &ActionContext{
+		Logger:   logger,
+		Status:   status,
+		Provider: provider,
+		Config:   cfg,
+		cache:    &cachedData{},
+	}
+}
+
+type cachedData struct {
+	mu    sync.RWMutex
+	nodes []nodes.Node
+}
+
+func (cd *cachedData) getNodes() []nodes.Node {
+	cd.mu.RLock()
+	defer cd.mu.RUnlock()
+	return cd.nodes
+}
+
+func (cd *cachedData) setNodes(n []nodes.Node) {
+	cd.mu.Lock()
+	defer cd.mu.Unlock()
+	cd.nodes = n
+}
+
+// Nodes returns the list of cluster nodes, this is a cached call
+func (ac *ActionContext) Nodes() ([]nodes.Node, error) {
+	cachedNodes := ac.cache.getNodes()
+	if cachedNodes != nil {
+		return cachedNodes, nil
+	}
+	n, err := ac.Provider.ListNodes(ac.Config.Name)
+	if err != nil {
+		return nil, err
+	}
+	ac.cache.setNodes(n)
+	return n, nil
+}
+
+func (ac *ActionContext) GetNode() (nodes.Node, error) {
+	allNodes, err := ac.Nodes()
+	if err != nil {
+		return nil, err
+	}
+
+	controlPlanes, err := nodeutils.ControlPlaneNodes(allNodes)
+	if err != nil {
+		return nil, err
+	}
+	return controlPlanes[0], nil
+}
@@ -56,14 +56,6 @@ var allowCommonEgressNetPol string
 //go:embed files/gcp/rbac-loadbalancing.yaml
 var rbacInternalLoadBalancing string
 
-// In common with keos installer
-//
-//go:embed files/aws/deny-all-egress-imds_gnetpol.yaml
-var denyallEgressIMDSGNetPol string
-
-//go:embed files/aws/allow-capa-egress-imds_gnetpol.yaml
-var allowCAPAEgressIMDSGNetPol string
-
 // NewAction returns a new action for installing default CAPI
 func NewAction(vaultPassword string, descriptorPath string, moveManagement bool, avoidCreation bool) actions.Action {
 	return &action{
@@ -90,8 +82,6 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to parse cluster descriptor")
 	}
-	//spec := keosCluster.Spec
-
 	// Get the secrets
 
 	credentialsMap, keosRegistry, githubToken, dockerRegistries, err := commons.GetSecrets(keosCluster.Spec, a.vaultPassword)
@@ -466,57 +456,65 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 
 		ctx.Status.End(true) // End Installing CAPx in workload cluster
 
+		ctx.Status.Start("Installing Network Policy Engine in workload cluster 🚧")
+		defer ctx.Status.End(false)
+
 		// Use Calico as network policy engine in managed systems
 		if provider.capxProvider != "azure" && keosCluster.Spec.ControlPlane.Managed {
-			ctx.Status.Start("Installing Network Policy Engine in workload cluster 🚧")
-			defer ctx.Status.End(false)
 
 			err = installCalico(n, kubeconfigPath, *keosCluster, allowCommonEgressNetPolPath)
 			if err != nil {
 				return errors.Wrap(err, "failed to install Network Policy Engine in workload cluster")
 			}
+		}
 
-			// Create the allow and deny (global) network policy file in the container
-			if keosCluster.Spec.InfraProvider == "aws" {
-				denyallEgressIMDSGNetPolPath := "/kind/deny-all-egress-imds_gnetpol.yaml"
-				allowCAPAEgressIMDSGNetPolPath := "/kind/allow-capa-egress-imds_gnetpol.yaml"
+		// Create the allow and deny (global) network policy file in the container
+		denyallEgressIMDSGNetPolPath := "/kind/deny-all-egress-imds_gnetpol.yaml"
+		allowCAPXEgressIMDSGNetPolPath := "/kind/allow-egress-imds_gnetpol.yaml"
 
-				// Allow egress in kube-system Namespace
-				c = "kubectl --kubeconfig " + kubeconfigPath + " -n kube-system apply -f " + allowCommonEgressNetPolPath
-				_, err = commons.ExecuteCommand(n, c)
-				if err != nil {
-					return errors.Wrap(err, "failed to apply kube-system egress NetworkPolicy")
-				}
+		// Allow egress in kube-system Namespace
+		c = "kubectl --kubeconfig " + kubeconfigPath + " -n kube-system apply -f " + allowCommonEgressNetPolPath
+		_, err = commons.ExecuteCommand(n, c)
+		if err != nil {
+			return errors.Wrap(err, "failed to apply kube-system egress NetworkPolicy")
+		}
+		denyEgressIMDSGNetPol, err := provider.getDenyAllEgressIMDSGNetPol()
+		if err != nil {
+			return err
+		}
 
-				c = "echo \"" + denyallEgressIMDSGNetPol + "\" > " + denyallEgressIMDSGNetPolPath
-				_, err = commons.ExecuteCommand(n, c)
-				if err != nil {
-					return errors.Wrap(err, "failed to write the deny-all-traffic-to-aws-imds global network policy")
-				}
-				c = "echo \"" + allowCAPAEgressIMDSGNetPol + "\" > " + allowCAPAEgressIMDSGNetPolPath
-				_, err = commons.ExecuteCommand(n, c)
-				if err != nil {
-					return errors.Wrap(err, "failed to write the allow-traffic-to-aws-imds-capa global network policy")
-				}
+		c = "echo \"" + denyEgressIMDSGNetPol + "\" > " + denyallEgressIMDSGNetPolPath
+		_, err = commons.ExecuteCommand(n, c)
+		if err != nil {
+			return errors.Wrap(err, "failed to write the deny-all-traffic-to-aws-imds global network policy")
+		}
+		allowEgressIMDSGNetPol, err := provider.getAllowCAPXEgressIMDSGNetPol()
+		if err != nil {
+			return err
+		}
 
-				// Deny CAPA egress to AWS IMDS
-				c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + denyallEgressIMDSGNetPolPath
-				_, err = commons.ExecuteCommand(n, c)
-				if err != nil {
-					return errors.Wrap(err, "failed to apply deny IMDS traffic GlobalNetworkPolicy")
-				}
+		c = "echo \"" + allowEgressIMDSGNetPol + "\" > " + allowCAPXEgressIMDSGNetPolPath
+		_, err = commons.ExecuteCommand(n, c)
+		if err != nil {
+			return errors.Wrap(err, "failed to write the allow-traffic-to-aws-imds-capa global network policy")
+		}
 
-				// Allow CAPA egress to AWS IMDS
-				c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPAEgressIMDSGNetPolPath
-				_, err = commons.ExecuteCommand(n, c)
-				if err != nil {
-					return errors.Wrap(err, "failed to apply allow CAPA as egress GlobalNetworkPolicy")
-				}
-			}
+		// Deny CAPA egress to AWS IMDS
+		c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + denyallEgressIMDSGNetPolPath
+		_, err = commons.ExecuteCommand(n, c)
+		if err != nil {
+			return errors.Wrap(err, "failed to apply deny IMDS traffic GlobalNetworkPolicy")
+		}
 
-			ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster
+		// Allow CAPA egress to AWS IMDS
+		c = "kubectl --kubeconfig " + kubeconfigPath + " apply -f " + allowCAPXEgressIMDSGNetPolPath
+		_, err = commons.ExecuteCommand(n, c)
+		if err != nil {
+			return errors.Wrap(err, "failed to apply allow CAPX as egress GlobalNetworkPolicy")
 		}
 
+		ctx.Status.End(true) // End Installing Network Policy Engine in workload cluster
+
 		if keosCluster.Spec.DeployAutoscaler && !(keosCluster.Spec.InfraProvider == "azure" && keosCluster.Spec.ControlPlane.Managed) {
 			ctx.Status.Start("Adding Cluster-Autoescaler 🗚")
 			defer ctx.Status.End(false)

@@ -0,0 +1,17 @@
+---
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: allow-traffic-to-azure-imds-capz
+spec:
+  egress:
+  - action: Allow
+    destination:
+      nets:
+      - 169.254.169.254/32
+    protocol: TCP
+  order: 0
+  namespaceSelector: kubernetes.io/metadata.name in { 'kube-system', 'capz-system' }
+  selector: app.kubernetes.io/name == 'azuredisk-csi-driver' || cluster.x-k8s.io/provider == 'infrastructure-azure'
+  types:
+  - Egress
@@ -0,0 +1,20 @@
+---
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: deny-all-traffic-to-azure-imds
+spec:
+  egress:
+  - action: Deny
+    destination:
+      nets:
+      - 169.254.169.254/32
+    protocol: TCP
+  order: 10
+  selector: all()
+  types:
+  - Egress
+
+
+
+