Major Description of problem:
When deploying 4.16, customer identified an inbound rule security risk for the "node" security group allowing access from 0.0.0.0/0 to node port range 30000-32767. This issue did not exist in versions prior to 4.16 and suspect this may be a regression. It seems to be related to the use of CAPI which could have changed the behavior. Trying to understand why this was allowed.
Version-Release number of selected component (if applicable):
4.16
How reproducible:
Steps to Reproduce:
1. Install 4.16 cluster
*** On 4.12 installations, this is not the case ***
Actual results:
The installer configures an inbound rule for the node security group allowing access from 0.0.0.0/0 for port range 30000-32767.
Expected results:
The installer should *NOT* create an inbound security rule allowing access to node port range 30000-32767 from any CIDR range (0.0.0.0/0)
Additional info:
#forum-ocp-cloud slack discussion: https://redhat-internal.slack.com/archives/CBZHF4DHC/p1728484197441409
Relevant Code :
https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/v2.4.0/pkg/cloud/services/securitygroup/securitygroups.go#L551