-
Bug
-
Resolution: Done
-
Major
-
None
-
4.16.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
No
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
After installing an AWS cluster with CAPI for the latest 4.16, checked the TCP/22 port configured in the master or worker's SG, the source was limited to the "<cluster_id>-node" and "<cluster_id>-controlplane" SGs.
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": [
{
"Description": "Port 22 (TCP)",
"GroupId": "sg-062320796a693e265",
"UserId": "301721915996"
},
{
"Description": "Port 22 (TCP)",
"GroupId": "sg-045d04f22471f849f",
"UserId": "301721915996"
}
]
},
While in a Terraform install, the source of this is configured with the VPC CIDR
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "10.0.0.0/16",
"Description": "Created By OpenShift Installer"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": []
},
So the current configuration in CAPI will block the SSH connection from any other machine(such as a bastion) not associated the matched SG inside this VPC to master and node.
Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-05-16-092402
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info: