Merge pull request #1640 from richardchen331/api_server_access_profile

Support APIServerAccessProfile in AzureManagedControlPlane

Author: k8s-ci-robot

azure/scope/managedcontrolplane.go

@@ -437,6 +437,15 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() (azure.ManagedClusterSpe
 		}
 	}
 
+	if s.ControlPlane.Spec.APIServerAccessProfile != nil {
+		managedClusterSpec.APIServerAccessProfile = &azure.APIServerAccessProfile{
+			AuthorizedIPRanges:             s.ControlPlane.Spec.APIServerAccessProfile.AuthorizedIPRanges,
+			EnablePrivateCluster:           s.ControlPlane.Spec.APIServerAccessProfile.EnablePrivateCluster,
+			PrivateDNSZone:                 s.ControlPlane.Spec.APIServerAccessProfile.PrivateDNSZone,
+			EnablePrivateClusterPublicFQDN: s.ControlPlane.Spec.APIServerAccessProfile.EnablePrivateClusterPublicFQDN,
+		}
+	}
+
 	return managedClusterSpec, nil
 }
 

azure/services/managedclusters/managedclusters.go

@@ -107,6 +107,18 @@ func computeDiffOfNormalizedClusters(managedCluster containerservice.ManagedClus
 		existingMCPropertiesNormalized.NetworkProfile.LoadBalancerProfile = existingMC.NetworkProfile.LoadBalancerProfile
 	}
 
+	if managedCluster.APIServerAccessProfile != nil {
+		propertiesNormalized.APIServerAccessProfile = &containerservice.ManagedClusterAPIServerAccessProfile{
+			AuthorizedIPRanges: managedCluster.APIServerAccessProfile.AuthorizedIPRanges,
+		}
+	}
+
+	if existingMC.APIServerAccessProfile != nil {
+		existingMCPropertiesNormalized.APIServerAccessProfile = &containerservice.ManagedClusterAPIServerAccessProfile{
+			AuthorizedIPRanges: existingMC.APIServerAccessProfile.AuthorizedIPRanges,
+		}
+	}
+
 	clusterNormalized := &containerservice.ManagedCluster{
 		ManagedClusterProperties: propertiesNormalized,
 	}
@@ -269,6 +281,15 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		}
 	}
 
+	if managedClusterSpec.APIServerAccessProfile != nil {
+		managedCluster.APIServerAccessProfile = &containerservice.ManagedClusterAPIServerAccessProfile{
+			AuthorizedIPRanges:             &managedClusterSpec.APIServerAccessProfile.AuthorizedIPRanges,
+			EnablePrivateCluster:           managedClusterSpec.APIServerAccessProfile.EnablePrivateCluster,
+			PrivateDNSZone:                 managedClusterSpec.APIServerAccessProfile.PrivateDNSZone,
+			EnablePrivateClusterPublicFQDN: managedClusterSpec.APIServerAccessProfile.EnablePrivateClusterPublicFQDN,
+		}
+	}
+
 	if isCreate {
 		managedCluster, err = s.Client.CreateOrUpdate(ctx, managedClusterSpec.ResourceGroupName, managedClusterSpec.Name, managedCluster)
 		if err != nil {

azure/types.go

@@ -355,6 +355,9 @@ type ManagedClusterSpec struct {
 
 	// LoadBalancerProfile is the profile of the cluster load balancer.
 	LoadBalancerProfile *LoadBalancerProfile
+
+	// APIServerAccessProfile is the access profile for AKS API server.
+	APIServerAccessProfile *APIServerAccessProfile
 }
 
 // AADProfile is Azure Active Directory configuration to integrate with AKS, for aad authentication.
@@ -398,6 +401,18 @@ type LoadBalancerProfile struct {
 	IdleTimeoutInMinutes *int32
 }
 
+// APIServerAccessProfile is the access profile for AKS API server.
+type APIServerAccessProfile struct {
+	// AuthorizedIPRanges - Authorized IP Ranges to kubernetes API server.
+	AuthorizedIPRanges []string
+	// EnablePrivateCluster - Whether to create the cluster as a private cluster or not.
+	EnablePrivateCluster *bool
+	// PrivateDNSZone - Private dns zone mode for private cluster.
+	PrivateDNSZone *string
+	// EnablePrivateClusterPublicFQDN - Whether to create additional public FQDN for private cluster or not.
+	EnablePrivateClusterPublicFQDN *bool
+}
+
 // AgentPoolSpec contains agent pool specification details.
 type AgentPoolSpec struct {
 	// Name is the name of agent pool.

config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml

@@ -226,6 +226,32 @@ spec:
                   resources managed by the Azure provider, in addition to the ones
                   added by default.
                 type: object
+              apiServerAccessProfile:
+                description: APIServerAccessProfile is the access profile for AKS
+                  API server.
+                properties:
+                  authorizedIPRanges:
+                    description: AuthorizedIPRanges - Authorized IP Ranges to kubernetes
+                      API server.
+                    items:
+                      type: string
+                    type: array
+                  enablePrivateCluster:
+                    description: EnablePrivateCluster - Whether to create the cluster
+                      as a private cluster or not.
+                    type: boolean
+                  enablePrivateClusterPublicFQDN:
+                    description: EnablePrivateClusterPublicFQDN - Whether to create
+                      additional public FQDN for private cluster or not.
+                    type: boolean
+                  privateDNSZone:
+                    description: PrivateDNSZone - Private dns zone mode for private
+                      cluster.
+                    enum:
+                    - System
+                    - None
+                    type: string
+                type: object
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to
                   communicate with the control plane.

docs/book/src/topics/managedcluster.md

@@ -274,6 +274,31 @@ spec:
     idleTimeoutInMinutes: 10 # 4-120
 ```
 
+### Secure access to the API server using authorized IP address ranges
+
+In Kubernetes, the API server receives requests to perform actions in the cluster such as to create resources or scale the number of nodes. The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
+
+For more documentation about authorized IP address ranges refer [AKS Doc](https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges) and [AKS REST API Doc](https://docs.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update)
+
+```yaml
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+kind: AzureManagedControlPlane
+metadata:
+  name: my-cluster-control-plane
+spec:
+  location: southcentralus
+  resourceGroupName: foo-bar
+  sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
+  subscriptionID: 00000000-0000-0000-0000-000000000000 # fake uuid
+  version: v1.21.2
+  apiServerAccessProfile:
+    authorizedIPRanges:
+    - 12.34.56.78/32
+    enablePrivateCluster: false
+    privateDNSZone: None # System, None. Allowed only when enablePrivateCluster is true
+    enablePrivateClusterPublicFQDN: false # Allowed only when enablePrivateCluster is true
+```
+
 ## Features
 
 AKS clusters deployed from CAPZ currently only support a limited,

exp/api/v1alpha3/azuremanagedcontrolplane_conversion.go

@@ -40,6 +40,7 @@ func (src *AzureManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error { //
 	dst.Spec.IdentityRef = restored.Spec.IdentityRef
 	dst.Spec.SKU = restored.Spec.SKU
 	dst.Spec.LoadBalancerProfile = restored.Spec.LoadBalancerProfile
+	dst.Spec.APIServerAccessProfile = restored.Spec.APIServerAccessProfile
 
 	dst.Status.LongRunningOperationStates = restored.Status.LongRunningOperationStates
 

exp/api/v1alpha3/zz_generated.conversion.go

@@ -24,6 +24,14 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha4"
 )
 
+const (
+	// PrivateDNSZoneModeSystem represents mode System for azuremanagedcontrolplane.
+	PrivateDNSZoneModeSystem string = "System"
+
+	// PrivateDNSZoneModeNone represents mode None for azuremanagedcontrolplane.
+	PrivateDNSZoneModeNone string = "None"
+)
+
 // AzureManagedControlPlaneSpec defines the desired state of AzureManagedControlPlane.
 type AzureManagedControlPlaneSpec struct {
 	// Version defines the desired Kubernetes version.
@@ -95,6 +103,10 @@ type AzureManagedControlPlaneSpec struct {
 	// LoadBalancerProfile is the profile of the cluster load balancer.
 	// +optional
 	LoadBalancerProfile *LoadBalancerProfile `json:"loadBalancerProfile,omitempty"`
+
+	// APIServerAccessProfile is the access profile for AKS API server.
+	// +optional
+	APIServerAccessProfile *APIServerAccessProfile `json:"apiServerAccessProfile,omitempty"`
 }
 
 // AADProfile - AAD integration managed by AKS.
@@ -143,6 +155,23 @@ type LoadBalancerProfile struct {
 	IdleTimeoutInMinutes *int32 `json:"idleTimeoutInMinutes,omitempty"`
 }
 
+// APIServerAccessProfile - access profile for AKS API server.
+type APIServerAccessProfile struct {
+	// AuthorizedIPRanges - Authorized IP Ranges to kubernetes API server.
+	// +optional
+	AuthorizedIPRanges []string `json:"authorizedIPRanges,omitempty"`
+	// EnablePrivateCluster - Whether to create the cluster as a private cluster or not.
+	// +optional
+	EnablePrivateCluster *bool `json:"enablePrivateCluster,omitempty"`
+	// PrivateDNSZone - Private dns zone mode for private cluster.
+	// +kubebuilder:validation:Enum=System;None
+	// +optional
+	PrivateDNSZone *string `json:"privateDNSZone,omitempty"`
+	// EnablePrivateClusterPublicFQDN - Whether to create additional public FQDN for private cluster or not.
+	// +optional
+	EnablePrivateClusterPublicFQDN *bool `json:"enablePrivateClusterPublicFQDN,omitempty"`
+}
+
 // ManagedControlPlaneVirtualNetwork describes a virtual network required to provision AKS clusters.
 type ManagedControlPlaneVirtualNetwork struct {
 	Name      string                    `json:"name"`

exp/api/v1alpha4/azuremanagedcontrolplane_types.go

@@ -19,6 +19,7 @@ package v1alpha4
 import (
 	"errors"
 	"net"
+	"reflect"
 	"regexp"
 	"strings"
 
@@ -242,6 +243,10 @@ func (r *AzureManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) error {
 		}
 	}
 
+	if errs := r.validateAPIServerAccessProfileUpdate(old); len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+
 	if len(allErrs) == 0 {
 		return r.Validate()
 	}
@@ -263,6 +268,7 @@ func (r *AzureManagedControlPlane) Validate() error {
 		r.validateDNSServiceIP,
 		r.validateSSHKey,
 		r.validateLoadBalancerProfile,
+		r.validateAPIServerAccessProfile,
 	}
 
 	var errs []error
@@ -357,3 +363,52 @@ func (r *AzureManagedControlPlane) validateLoadBalancerProfile() error {
 
 	return nil
 }
+
+// validateAPIServerAccessProfile validates an APIServerAccessProfile.
+func (r *AzureManagedControlPlane) validateAPIServerAccessProfile() error {
+	if r.Spec.APIServerAccessProfile != nil {
+		var allErrs field.ErrorList
+		for _, ipRange := range r.Spec.APIServerAccessProfile.AuthorizedIPRanges {
+			if _, _, err := net.ParseCIDR(ipRange); err != nil {
+				allErrs = append(allErrs, field.Invalid(field.NewPath("Spec", "APIServerAccessProfile", "AuthorizedIPRanges"), ipRange, "invalid CIDR format"))
+			}
+		}
+		if len(allErrs) > 0 {
+			agg := kerrors.NewAggregate(allErrs.ToAggregate().Errors())
+			azuremanagedcontrolplanelog.Info("Invalid apiServerAccessProfile: %s", agg.Error())
+			return agg
+		}
+	}
+	return nil
+}
+
+// validateAPIServerAccessProfileUpdate validates update to APIServerAccessProfile.
+func (r *AzureManagedControlPlane) validateAPIServerAccessProfileUpdate(old *AzureManagedControlPlane) field.ErrorList {
+	var allErrs field.ErrorList
+
+	newAPIServerAccessProfileNormalized := &APIServerAccessProfile{}
+	oldAPIServerAccessProfileNormalized := &APIServerAccessProfile{}
+	if r.Spec.APIServerAccessProfile != nil {
+		newAPIServerAccessProfileNormalized = &APIServerAccessProfile{
+			EnablePrivateCluster:           r.Spec.APIServerAccessProfile.EnablePrivateCluster,
+			PrivateDNSZone:                 r.Spec.APIServerAccessProfile.PrivateDNSZone,
+			EnablePrivateClusterPublicFQDN: r.Spec.APIServerAccessProfile.EnablePrivateClusterPublicFQDN,
+		}
+	}
+	if old.Spec.APIServerAccessProfile != nil {
+		oldAPIServerAccessProfileNormalized = &APIServerAccessProfile{
+			EnablePrivateCluster:           old.Spec.APIServerAccessProfile.EnablePrivateCluster,
+			PrivateDNSZone:                 old.Spec.APIServerAccessProfile.PrivateDNSZone,
+			EnablePrivateClusterPublicFQDN: old.Spec.APIServerAccessProfile.EnablePrivateClusterPublicFQDN,
+		}
+	}
+
+	if !reflect.DeepEqual(newAPIServerAccessProfileNormalized, oldAPIServerAccessProfileNormalized) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("Spec", "APIServerAccessProfile"),
+				r.Spec.APIServerAccessProfile, "fields (except for AuthorizedIPRanges) are immutable"),
+		)
+	}
+
+	return allErrs
+}

exp/api/v1alpha4/azuremanagedcontrolplane_webhook.go

@@ -219,6 +219,18 @@ func TestValidatingWebhook(t *testing.T) {
 			},
 			expectErr: true,
 		},
+		{
+			name: "Invalid CIDR for AuthorizedIPRanges",
+			amcp: AzureManagedControlPlane{
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v1.21.2",
+					APIServerAccessProfile: &APIServerAccessProfile{
+						AuthorizedIPRanges: []string{"1.2.3.400/32"},
+					},
+				},
+			},
+			expectErr: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -671,6 +683,44 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "AzureManagedControlPlane EnablePrivateCluster is immutable",
+			oldAMCP: &AzureManagedControlPlane{
+				Spec: AzureManagedControlPlaneSpec{
+					DNSServiceIP: to.StringPtr("192.168.0.0"),
+					Version:      "v1.18.0",
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				Spec: AzureManagedControlPlaneSpec{
+					DNSServiceIP: to.StringPtr("192.168.0.0"),
+					Version:      "v1.18.0",
+					APIServerAccessProfile: &APIServerAccessProfile{
+						EnablePrivateCluster: to.BoolPtr(true),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "AzureManagedControlPlane AuthorizedIPRanges is mutable",
+			oldAMCP: &AzureManagedControlPlane{
+				Spec: AzureManagedControlPlaneSpec{
+					DNSServiceIP: to.StringPtr("192.168.0.0"),
+					Version:      "v1.18.0",
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				Spec: AzureManagedControlPlaneSpec{
+					DNSServiceIP: to.StringPtr("192.168.0.0"),
+					Version:      "v1.18.0",
+					APIServerAccessProfile: &APIServerAccessProfile{
+						AuthorizedIPRanges: []string{"192.168.0.1/32"},
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {