Don't disable AWS src/dst checks in Calico IPv6

kubernetes · Nov 26, 2022 · b6970c4 · b6970c4
1 parent c634928
commit b6970c4
Show file tree

Hide file tree

Showing 10 changed files with 11 additions and 13 deletions.
diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -4430,8 +4430,8 @@ spec:
                         type: boolean
                       awsSrcDstCheck:
                         description: 'AWSSrcDstCheck enables/disables ENI source/destination
-                          checks (AWS only) Options: Disable (default), Enable, or
-                          DoNothing'
+                          checks (AWS only) Options: Disable (default for IPv4), Enable,
+                          or DoNothing (default for IPv6)'
                         type: string
                       bpfEnabled:
                         description: BPFEnabled enables the eBPF dataplane mode.

diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -106,7 +106,7 @@ type CalicoNetworkingSpec struct {
 	// (default: false)
 	AllowIPForwarding bool `json:"allowIPForwarding,omitempty"`
 	// AWSSrcDstCheck enables/disables ENI source/destination checks (AWS only)
-	// Options: Disable (default), Enable, or DoNothing
+	// Options: Disable (default for IPv4), Enable, or DoNothing (default for IPv6)
 	AWSSrcDstCheck string `json:"awsSrcDstCheck,omitempty"`
 	// BPFEnabled enables the eBPF dataplane mode.
 	BPFEnabled bool `json:"bpfEnabled,omitempty"`

diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
@@ -109,7 +109,7 @@ type CalicoNetworkingSpec struct {
 	// (default: false)
 	AllowIPForwarding bool `json:"allowIPForwarding,omitempty"`
 	// AWSSrcDstCheck enables/disables ENI source/destination checks (AWS only)
-	// Options: Disable (default), Enable, or DoNothing
+	// Options: Disable (default for IPv4), Enable, or DoNothing (default for IPv6)
 	AWSSrcDstCheck string `json:"awsSrcDstCheck,omitempty"`
 	// BPFEnabled enables the eBPF dataplane mode.
 	BPFEnabled bool `json:"bpfEnabled,omitempty"`

diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go
@@ -106,7 +106,7 @@ type CalicoNetworkingSpec struct {
 	// (default: false)
 	AllowIPForwarding bool `json:"allowIPForwarding,omitempty"`
 	// AWSSrcDstCheck enables/disables ENI source/destination checks (AWS only)
-	// Options: Disable (default), Enable, or DoNothing
+	// Options: Disable (default for IPv4), Enable, or DoNothing (default for IPv6)
 	AWSSrcDstCheck string `json:"awsSrcDstCheck,omitempty"`
 	// BPFEnabled enables the eBPF dataplane mode.
 	BPFEnabled bool `json:"bpfEnabled,omitempty"`

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -373,7 +373,7 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addCiliumEniPermissions(p)
 	}
 
-	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" {
+	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" && (!b.Cluster.Spec.IsIPv6Only() || b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "") {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 
@@ -452,7 +452,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addCiliumEniPermissions(p)
 	}
 
-	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" {
+	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" && (!b.Cluster.Spec.IsIPv6Only() || b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "") {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 
@@ -478,7 +478,7 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addAmazonVPCCNIPermissions(p)
 	}
 
-	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" {
+	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "DoNothing" && (!b.Cluster.Spec.IsIPv6Only() || b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "") {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 

diff --git a/...ster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/...ster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
@@ -185,7 +185,6 @@
         "ec2:DescribeVolumes",
         "ec2:DescribeVolumesModifications",
         "ec2:DescribeVpcs",
-        "ec2:ModifyNetworkInterfaceAttribute",
         "elasticloadbalancing:DescribeListeners",
         "elasticloadbalancing:DescribeLoadBalancerAttributes",
         "elasticloadbalancing:DescribeLoadBalancerPolicies",

diff --git a/...luster/minimal-ipv6-calico/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy b/...luster/minimal-ipv6-calico/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy
@@ -19,7 +19,6 @@
         "ec2:DescribeInstanceTypes",
         "ec2:DescribeInstances",
         "ec2:DescribeRegions",
-        "ec2:ModifyNetworkInterfaceAttribute",
         "iam:GetServerCertificate",
         "iam:ListServerCertificates",
         "kms:GenerateRandom"

diff --git a/.../minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/.../minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content
@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.25
     manifest: networking.projectcalico.org/k8s-1.25.yaml
-    manifestHash: decc34a7f133bfc9bed78456047eccd399a67a4e17c49259e06f487a4b74092e
+    manifestHash: 87046f7e66df6437ddf0a74ce7871dad02e0961a4a47c36a0fd6fff6434aac41
     name: networking.projectcalico.org
     prune:
       kinds:

diff --git a/...s_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content b/...s_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content
@@ -4547,7 +4547,7 @@ spec:
         - name: FELIX_HEALTHENABLED
           value: "true"
         - name: FELIX_AWSSRCDSTCHECK
-          value: Disable
+          value: DoNothing
         - name: FELIX_BPFENABLED
           value: "false"
         - name: FELIX_BPFEXTERNALSERVICEMODE

diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template
@@ -4661,7 +4661,7 @@ spec:
             # kops additions
             # Enable source/destination checks for AWS
             - name: FELIX_AWSSRCDSTCHECK
-              value: "{{- if eq GetCloudProvider "aws" -}}{{- or .Networking.Calico.AWSSrcDstCheck "Disable" -}}{{- else -}}DoNothing{{- end -}}"
+              value: "{{- if and (eq GetCloudProvider "aws") (not IsIPv6Only) -}}{{- or .Networking.Calico.AWSSrcDstCheck "Disable" -}}{{- else -}}DoNothing{{- end -}}"
             # Enable eBPF dataplane mode
             - name: FELIX_BPFENABLED
               value: "{{ .Networking.Calico.BPFEnabled }}"