From f6b538219882dffb4b5b3753e0c2eda1a6ce941b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Wed, 3 Jul 2024 14:33:21 +0200 Subject: [PATCH 1/2] Blocking SSH access to provisioned Gardener clusters --- .../internal/model/gardener_config.go | 19 ++++++++++++++++++- .../internal/model/gardener_config_test.go | 15 +++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/components/provisioner/internal/model/gardener_config.go b/components/provisioner/internal/model/gardener_config.go index 62a1b5f711..3f8ccbfda6 100644 --- a/components/provisioner/internal/model/gardener_config.go +++ b/components/provisioner/internal/model/gardener_config.go @@ -3,7 +3,6 @@ package model import ( "encoding/json" "fmt" - "github.com/hashicorp/go-version" gardener_types "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -365,6 +364,9 @@ func (c GCPGardenerConfig) ExtendShootConfig(gardenerConfig GardenerConfig, shoo ControlPlaneConfig: &apimachineryRuntime.RawExtension{Raw: jsonCPData}, InfrastructureConfig: &apimachineryRuntime.RawExtension{Raw: jsonData}, Workers: workers, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, } return nil @@ -519,6 +521,9 @@ func (c AzureGardenerConfig) ExtendShootConfig(gardenerConfig GardenerConfig, sh ControlPlaneConfig: &apimachineryRuntime.RawExtension{Raw: jsonCPData}, InfrastructureConfig: &apimachineryRuntime.RawExtension{Raw: jsonData}, Workers: workers, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, } return nil @@ -662,6 +667,9 @@ func (c AWSGardenerConfig) ExtendShootConfig(gardenerConfig GardenerConfig, shoo ControlPlaneConfig: &apimachineryRuntime.RawExtension{Raw: jsonCPData}, InfrastructureConfig: &apimachineryRuntime.RawExtension{Raw: jsonData}, Workers: workers, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, } return nil @@ -728,6 +736,9 @@ func (c OpenStackGardenerConfig) ExtendShootConfig(gardenerConfig GardenerConfig ControlPlaneConfig: &apimachineryRuntime.RawExtension{Raw: jsonCPData}, InfrastructureConfig: &apimachineryRuntime.RawExtension{Raw: jsonData}, Workers: workers, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, } return nil @@ -794,6 +805,12 @@ func updateShootConfig(upgradeConfig GardenerConfig, shoot *gardener_types.Shoot if util.NotNilOrEmpty(upgradeConfig.MachineImageVersion) { shoot.Spec.Provider.Workers[0].Machine.Image.Version = upgradeConfig.MachineImageVersion } + + // block SSHAccess for all upgraded clusters + shoot.Spec.Provider.WorkersSettings = &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + } + if upgradeConfig.OIDCConfig != nil { if shoot.Spec.Kubernetes.KubeAPIServer == nil { shoot.Spec.Kubernetes.KubeAPIServer = &gardener_types.KubeAPIServerConfig{} diff --git a/components/provisioner/internal/model/gardener_config_test.go b/components/provisioner/internal/model/gardener_config_test.go index be9522c857..ae038875ea 100644 --- a/components/provisioner/internal/model/gardener_config_test.go +++ b/components/provisioner/internal/model/gardener_config_test.go @@ -206,6 +206,9 @@ func TestGardenerConfig_ToShootTemplate(t *testing.T) { Workers: []gardener_types.Worker{ fixWorker([]string{"fix-zone-1", "fix-zone-2"}, nil), }, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, }, Purpose: &purpose, ExposureClassName: util.PtrTo("internet"), @@ -288,6 +291,9 @@ func TestGardenerConfig_ToShootTemplate(t *testing.T) { Workers: []gardener_types.Worker{ fixWorker([]string{"fix-zone-1", "fix-zone-2"}, nil), }, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, }, Purpose: &purpose, ExposureClassName: util.PtrTo("internet"), @@ -370,6 +376,9 @@ func TestGardenerConfig_ToShootTemplate(t *testing.T) { Workers: []gardener_types.Worker{ fixWorker(nil, nil), }, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, }, Purpose: &purpose, ExposureClassName: util.PtrTo("internet"), @@ -452,6 +461,9 @@ func TestGardenerConfig_ToShootTemplate(t *testing.T) { Workers: []gardener_types.Worker{ fixWorker([]string{"1", "2"}, nil), }, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, }, Purpose: &purpose, ExposureClassName: util.PtrTo("internet"), @@ -536,6 +548,9 @@ func TestGardenerConfig_ToShootTemplate(t *testing.T) { Raw: []byte(`{"kind":"WorkerConfig","apiVersion":"aws.provider.extensions.gardener.cloud/v1alpha1","instanceMetadataOptions":{"httpTokens":"required","httpPutResponseHopLimit":2}}`), }), }, + WorkersSettings: &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + }, }, Purpose: &purpose, ExposureClassName: util.PtrTo("internet"), From 5d0ed138fb831932cb17aa8454771926c5ffce97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Wed, 3 Jul 2024 14:45:09 +0200 Subject: [PATCH 2/2] fix unit tests --- components/provisioner/internal/util/testkit/shoot.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/components/provisioner/internal/util/testkit/shoot.go b/components/provisioner/internal/util/testkit/shoot.go index 414284a83d..dd1b358c38 100644 --- a/components/provisioner/internal/util/testkit/shoot.go +++ b/components/provisioner/internal/util/testkit/shoot.go @@ -96,6 +96,9 @@ func (ts *TestShoot) WithExposureClassName(exposureClassName string) *TestShoot // See also testkit.TestWorker func (ts *TestShoot) WithWorkers(workers ...v1beta1.Worker) *TestShoot { ts.shoot.Spec.Provider.Workers = append(ts.shoot.Spec.Provider.Workers, workers...) + ts.shoot.Spec.Provider.WorkersSettings = &gardener_types.WorkersSettings{ + SSHAccess: &gardener_types.SSHAccess{Enabled: false}, + } return ts }