kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing security groups for cilium etcd

This commit is contained in:
zadjadr 2023-08-10 20:53:39 +02:00
parent d67528e5e6
commit 0ea7e55f25
1 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/model/openstackmodel/firewall.go
View File

@ -149,6 +149,8 @@ func (b *FirewallModelBuilder) addSSHRules(c *fi.CloudupModelBuilderContext, sgM
func (b *FirewallModelBuilder) addETCDRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error { func (b *FirewallModelBuilder) addETCDRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane) masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
masterSG := sgMap[masterName] masterSG := sgMap[masterName]
nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
nodeSG := sgMap[nodeName]
// ETCD Peer Discovery // ETCD Peer Discovery
etcdRule := &openstacktasks.SecurityGroupRule{ etcdRule := &openstacktasks.SecurityGroupRule{
@ -170,6 +172,46 @@ func (b *FirewallModelBuilder) addETCDRules(c *fi.CloudupModelBuilderContext, sg
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdRule) b.addDirectionalGroupRule(c, masterSG, masterSG, etcdRule)
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdPeerRule) b.addDirectionalGroupRule(c, masterSG, masterSG, etcdPeerRule)
if b.Cluster.Spec.Networking.Cilium != nil && b.Cluster.Spec.Networking.Cilium.EtcdManaged {
etcdCiliumPeerRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(string(rules.ProtocolTCP)),
EtherType: s(IPV4),
PortRangeMin: i(2382),
PortRangeMax: i(2382),
}
etcdCiliumGRPCRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(string(rules.ProtocolTCP)),
EtherType: s(IPV4),
PortRangeMin: i(wellknownports.EtcdCiliumGRPC),
PortRangeMax: i(wellknownports.EtcdCiliumGRPC),
}
etcdCiliumQuarantinedClient := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(string(rules.ProtocolTCP)),
EtherType: s(IPV4),
PortRangeMin: i(wellknownports.EtcdCiliumQuarantinedClientPort),
PortRangeMax: i(wellknownports.EtcdCiliumQuarantinedClientPort),
}
etcdCiliumClientRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(string(rules.ProtocolTCP)),
EtherType: s(IPV4),
PortRangeMin: i(wellknownports.EtcdCiliumClientPort),
PortRangeMax: i(wellknownports.EtcdCiliumClientPort),
}
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumPeerRule)
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumGRPCRule)
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumClientRule)
b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumQuarantinedClient)
b.addDirectionalGroupRule(c, nodeSG, masterSG, etcdCiliumClientRule)
}
for _, portRange := range wellknownports.ETCDPortRanges() { for _, portRange := range wellknownports.ETCDPortRanges() {
etcdMgmrRule := &openstacktasks.SecurityGroupRule{ etcdMgmrRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle, Lifecycle: b.Lifecycle,