✨ CIDR blocks for default Security Group rule "Node Port Services"

[krasoffski]

What type of PR is this?
/kind feature

What this PR does / why we need it:
There is issue #3314 which describes problem when default Security Group rule "Node Port Services" it too wide.

This PR allows to specify CIDR Blocks for Security Group rule "Node Port Services" with keeping original behavior if no CIDR Blocks are provided by attribute AWSCluster.spec.network.NodePortIngressRuleCidrBlocks.

In our practice, we've deployed stackgres and add LB for Admin page, but security team found opened ports with this admin page, cause stackgress by default open NodePort too under the hood.
Thus allowing to specify networks from which node port services can be accessed negotiated this problem.

Which issue(s) this PR fixes:
Fixes #3314 (possible fix).

Special notes for your reviewer:
I did not add similar attribute for IPv6 CIDR blocks because there is validation that IPv6 cannot be used with unmanaged clusters at this time..
New unit tests for original and new behavior are added.
Added unit tests for webhook validation of correctness provided CidrBlocks.

Checklist:

• squashed commits
• includes documentation
• includes emojis
• adds unit tests
• adds or updates e2e tests

Release note:

New `AWSCluster.spec.network.NodePortIngressRuleCidrBlocks` parameter  which allows to specify IPv4 CIDR blocks for Security group rule "Node Port Services" instead of default `0.0.0.0/`. 

[k8s-ci-robot]

Hi @krasoffski. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[AndiDog]

/ok-to-test

[krasoffski]

@AndiDog Thank you, Andreas. Looks like tests are passed.

@richardcase @killianmuldoon guys, could you, please, take a look?

[AndiDog]

Mostly looks good. I have some easy comments.

[AndiDog]

The apidiff failure is informational, and in this case acceptable. I'd say let's either get this merged, or we wait until the E2E tests work again (there's a problem right now about AMIs).

/lgtm

[krasoffski]

@AndiDog
Hi, again.
Is there any way how to merge this PR with apidiff fail?

[richardcase]

The incompatible apidiffs are from the exported go api and not the k8s api, as we don't provide guarantees over the exported go packages:

/override pull-cluster-api-provider-aws-apidiff-main

[k8s-ci-robot]

@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-aws-apidiff-main

In response to this:

The incompatible apidiffs are from the exported go api and not the k8s api, as we don't provide guarantees over the exported go packages:

/override pull-cluster-api-provider-aws-apidiff-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[richardcase]

Thanks for this @krasoffski 🙇‍♂️

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment