Allow more permissive extensibility for securityRules

Signed-off-by: Danil-Grigorev <[email protected]>

Author: Danil-Grigorev

api/v1beta1/types.go

@@ -893,6 +893,20 @@ func (s SubnetSpec) IsIPv6Enabled() bool {
 	return false
 }
 
+// GetSecurityRuleByDestination returns security group rule, which matches provided destination ports.
+func (s SubnetSpec) GetSecurityRuleByDestination(ports string) *SecurityRule {
+	if s.SecurityGroup.SecurityRules == nil {
+		return nil
+	}
+
+	for _, rule := range s.SecurityGroup.SecurityRules {
+		if rule.DestinationPorts != nil && *rule.DestinationPorts == ports {
+			return &rule
+		}
+	}
+	return nil
+}
+
 // SecurityProfile specifies the Security profile settings for a
 // virtual machine or virtual machine scale set.
 type SecurityProfile struct {

azure/scope/cluster.go

@@ -1020,9 +1020,18 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 	if !s.ControlPlaneEnabled() {
 		return
 	}
-	if s.ControlPlaneSubnet().SecurityGroup.SecurityRules == nil {
+
+	subnet := s.ControlPlaneSubnet()
+
+	if subnet.SecurityGroup.SecurityRules == nil {
+		subnet := s.ControlPlaneSubnet()
+
+		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
+	}
+
+	if subnet.GetSecurityRuleByDestination("22") == nil {
 		subnet := s.ControlPlaneSubnet()
-		subnet.SecurityGroup.SecurityRules = infrav1.SecurityRules{
+		subnet.SecurityGroup.SecurityRules = append(s.ControlPlaneSubnet().SecurityGroup.SecurityRules,
 			infrav1.SecurityRule{
 				Name:             "allow_ssh",
 				Description:      "Allow SSH",
@@ -1034,22 +1043,30 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 				Destination:      ptr.To("*"),
 				DestinationPorts: ptr.To("22"),
 				Action:           infrav1.SecurityRuleActionAllow,
-			},
-			infrav1.SecurityRule{
-				Name:             "allow_apiserver",
-				Description:      "Allow K8s API Server",
-				Priority:         2201,
-				Protocol:         infrav1.SecurityGroupProtocolTCP,
-				Direction:        infrav1.SecurityRuleDirectionInbound,
-				Source:           ptr.To("*"),
-				SourcePorts:      ptr.To("*"),
-				Destination:      ptr.To("*"),
-				DestinationPorts: ptr.To(strconv.Itoa(int(s.APIServerPort()))),
-				Action:           infrav1.SecurityRuleActionAllow,
-			},
-		}
+			})
+
 		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
 	}
+
+	port := strconv.Itoa(int(s.APIServerPort()))
+	if subnet.GetSecurityRuleByDestination(port) == nil {
+		subnet := s.ControlPlaneSubnet()
+		subnet.SecurityGroup.SecurityRules = append(s.ControlPlaneSubnet().SecurityGroup.SecurityRules, infrav1.SecurityRule{
+			Name:             "allow_apiserver",
+			Description:      "Allow K8s API Server",
+			Priority:         2201,
+			Protocol:         infrav1.SecurityGroupProtocolTCP,
+			Direction:        infrav1.SecurityRuleDirectionInbound,
+			Source:           ptr.To("*"),
+			SourcePorts:      ptr.To("*"),
+			Destination:      ptr.To("*"),
+			DestinationPorts: ptr.To(port),
+			Action:           infrav1.SecurityRuleActionAllow,
+		})
+
+		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
+	}
+
 }
 
 // SetDNSName sets the API Server public IP DNS name.

docs/book/src/self-managed/custom-vnet.md

@@ -114,8 +114,13 @@ Security Rules were previously known as `ingressRule` in v1alpha3.
 </aside>
 
 Security rules can also be customized as part of the subnet specification in a custom network spec.
-Note that ingress rules for the Kubernetes API Server port (default 6443) and SSH (22) are automatically added to the controlplane subnet only if security rules aren't specified.
-It is the responsibility of the user to supply those rules themselves if using custom rules.
+
+Note that ingress rules for the Kubernetes API Server port (default 6443) and SSH (22) are automatically added to the controlplane subnet if these security rules aren't specified.
+It is the responsibility of the user to override those rules themselves when the default configuration does not match expected ruleset.
+
+These rules are identified by `destinationPorts` value:
+- `<API_SERVER_PORT>` for the API server access. Default port is `6443`.
+- `22` for the SSH access.
 
 Here is an illustrative example of customizing rules that builds on the one above by adding an egress rule to the control plane nodes:
 
@@ -141,22 +146,22 @@ spec:
           name: my-subnet-cp-nsg
           securityRules:
             - name: "allow_ssh"
-              description: "allow SSH"
+              description: "Deny SSH"
               direction: "Inbound"
               priority: 2200
               protocol: "*"
               destination: "*"
               destinationPorts: "22"
               source: "*"
               sourcePorts: "*"
-              action: "Allow"
+              action: "Deny"
             - name: "allow_apiserver"
-              description: "Allow K8s API Server"
+              description: "Allow Custom K8s API Server"
               direction: "Inbound"
               priority: 2201
               protocol: "*"
               destination: "*"
-              destinationPorts: "6443"
+              destinationPorts: "1234" # Custom API server URL
               source: "*"
               sourcePorts: "*"
               action: "Allow"
@@ -177,6 +182,46 @@ spec:
   resourceGroup: cluster-example
 ```
 
+Alternatively, when default server `securityRules` apply, but the list needs to be extended, only required rules can be added, like so:
+
+```yaml
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureCluster
+metadata:
+  name: cluster-example
+  namespace: default
+spec:
+  location: southcentralus
+  networkSpec:
+    vnet:
+      name: my-vnet
+      cidrBlocks:
+        - 10.0.0.0/16
+    subnets:
+      - name: my-subnet-cp
+        role: control-plane
+        cidrBlocks:
+          - 10.0.1.0/24
+        securityGroup:
+          name: my-subnet-cp-nsg
+          securityRules:
+            - name: "allow_port_9345"
+              description: "RKE2 - allow node registration on port 9345"
+              direction: "Inbound"
+              priority: 2202
+              protocol: "Tcp"
+              destination: "*"
+              destinationPorts: "9345"
+              source: "*"
+              sourcePorts: "*"
+              action: "Allow"
+      - name: my-subnet-node
+        role: node
+        cidrBlocks:
+          - 10.0.2.0/24
+  resourceGroup: cluster-example
+```
+
 ### Virtual Network service endpoints
 
 Sometimes it's desirable to use [Virtual Network service endpoints](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) to establish secure and direct connectivity to Azure services from your subnet(s). Service Endpoints are configured on a per-subnet basis. Vnets managed by either `AzureCluster` or `AzureManagedControlPlane` can have `serviceEndpoints` optionally set on each subnet.