Merge pull request #1854 from HarryStericker/optional-icmp-open

dominicgunn · web-flow · commit 21a0c482dca2 · 2020-05-27T11:58:16.000+01:00
[v0.16.0] Creating a switch to disable ICMP Ping instead of the default allow 0.0.0/0
diff --git a/builtin/files/cluster.yaml.tmpl b/builtin/files/cluster.yaml.tmpl
@@ -1360,6 +1360,10 @@ kubeProxy:
 # It is enabled by default.
 #cloudFormationStreaming: true
 
+# When enabled, a security group rule is included on the generated kube-aws SG to allow ICMP Ping from all traffic (0.0.0.0/0).
+# This is applied to all nodes (worker & control plane) in the cluster.
+openICMP: true
+ 
 # Addon features
 addons:
   # When enabled, Kubernetes rescheduler is deployed to the cluster controller(s)
diff --git a/builtin/files/stack-templates/control-plane.json.tmpl b/builtin/files/stack-templates/control-plane.json.tmpl
@@ -211,20 +211,22 @@
           }
         ],
         "SecurityGroupIngress": [
+          {{ if .OpenICMP -}}
+          {
+            "CidrIp": "0.0.0.0/0",
+            "FromPort": -1,
+            "IpProtocol": "icmp",
+            "ToPort": -1
+          },
+          {{end -}}
           {{ range $_, $r := $.SSHAccessAllowedSourceCIDRs -}}
           {
             "CidrIp": "{{$r}}",
             "FromPort": 22,
             "IpProtocol": "tcp",
             "ToPort": 22
-          },
-          {{end -}}
-          {
-            "CidrIp": "0.0.0.0/0",
-            "FromPort": -1,
-            "IpProtocol": "icmp",
-            "ToPort": -1
           }
+          {{end -}}
         ],
         "Tags": [
           {
diff --git a/builtin/files/stack-templates/network.json.tmpl b/builtin/files/stack-templates/network.json.tmpl
@@ -91,12 +91,14 @@
           }
         ],
         "SecurityGroupIngress": [
+          {{ if .OpenICMP -}}
           {
             "CidrIp": "0.0.0.0/0",
             "FromPort": -1,
             "IpProtocol": "icmp",
             "ToPort": -1
           },
+          {{end -}}
           {{ range $_, $r := $.SSHAccessAllowedSourceCIDRs -}}
           {
             "CidrIp": "{{$r}}",
diff --git a/pkg/api/cluster.go b/pkg/api/cluster.go
@@ -562,6 +562,7 @@ type Cluster struct {
 	CustomApiServerSettings     CustomApiServerSettings `yaml:"customApiServerSettings,omitempty"`
 	CustomSettings              map[string]interface{}  `yaml:"customSettings,omitempty"`
 	KubeResourcesAutosave       `yaml:"kubeResourcesAutosave,omitempty"`
+	OpenICMP                    bool `yaml:"openICMP,omitempty"`
 }
 
 type WaitSignal struct {

Original file line number	Diff line number	Diff line change
`@@ -91,12 +91,14 @@`
`91`	`91`	`}`
`92`	`92`	`],`
`93`	`93`	`"SecurityGroupIngress": [`
	`94`	`+ {{ if .OpenICMP -}}`
`94`	`95`	`{`
`95`	`96`	`"CidrIp": "0.0.0.0/0",`
`96`	`97`	`"FromPort": -1,`
`97`	`98`	`"IpProtocol": "icmp",`
`98`	`99`	`"ToPort": -1`
`99`	`100`	`},`
	`101`	`+ {{end -}}`
`100`	`102`	`{{ range $_, $r := $.SSHAccessAllowedSourceCIDRs -}}`
`101`	`103`	`{`
`102`	`104`	`"CidrIp": "{{$r}}",`
Original file line number	Diff line number	Diff line change
`@@ -562,6 +562,7 @@ type Cluster struct {`
`562`	`562`	CustomApiServerSettings CustomApiServerSettings `yaml:"customApiServerSettings,omitempty"`
`563`	`563`	CustomSettings map[string]interface{} `yaml:"customSettings,omitempty"`
`564`	`564`	KubeResourcesAutosave `yaml:"kubeResourcesAutosave,omitempty"`
	`565`	+ OpenICMP bool `yaml:"openICMP,omitempty"`
`565`	`566`	`}`
`566`	`567`
`567`	`568`	`type WaitSignal struct {`