Move firewall to awsmodel

2021-04-30 12:03:37 +03:00 · 2021-04-30 12:03:37 +03:00 · 137fe6c2bb
parent fcba0043d0
commit 137fe6c2bb
7 changed files with 34 additions and 36 deletions
--- a/pkg/model/awsmodel/api_loadbalancer.go
+++ b/pkg/model/awsmodel/api_loadbalancer.go
@ -308,7 +308,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 			Egress:        fi.Bool(true),
 			SecurityGroup: lbSG,
 		}
-		b.AddDirectionalGroupRule(c, t)
+		AddDirectionalGroupRule(c, t)
 	}

 	// Allow traffic into the ELB from KubernetesAPIAccess CIDRs
@ -323,7 +323,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 				SecurityGroup: lbSG,
 				ToPort:        fi.Int64(443),
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)

 			// Allow ICMP traffic required for PMTU discovery
 			c.AddTask(&awstasks.SecurityGroupRule{
@ -356,7 +356,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 					SecurityGroup: masterGroup.Task,
 					ToPort:        fi.Int64(443),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)

 				// Allow ICMP traffic required for PMTU discovery
 				c.AddTask(&awstasks.SecurityGroupRule{
--- a/pkg/model/awsmodel/bastion.go
+++ b/pkg/model/awsmodel/bastion.go
@ -21,7 +21,6 @@ import (

 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kops/pkg/apis/kops"
-	"k8s.io/kops/pkg/model"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
 )
@ -38,7 +37,7 @@ const (
 // Bastion instances have access to all internal master and node instances.

 type BastionModelBuilder struct {
-	*model.KopsModelContext
+	*AWSModelContext
 	Lifecycle         *fi.Lifecycle
 	SecurityLifecycle *fi.Lifecycle
 }
@ -85,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Egress:        fi.Bool(true),
 			CIDR:          fi.String("0.0.0.0/0"),
 		}
-		b.AddDirectionalGroupRule(c, t)
+		AddDirectionalGroupRule(c, t)
 	}

 	// Allow incoming SSH traffic to bastions, through the ELB
@ -100,14 +99,14 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			FromPort:      fi.Int64(22),
 			ToPort:        fi.Int64(22),
 		}
-		b.AddDirectionalGroupRule(c, t)
+		AddDirectionalGroupRule(c, t)
 	}

 	// Allow bastion nodes to SSH to masters
 	for _, src := range bastionGroups {
 		for _, dest := range masterGroups {
 			t := &awstasks.SecurityGroupRule{
-				Name:          fi.String("bastion-to-master-ssh" + model.JoinSuffixes(src, dest)),
+				Name:          fi.String("bastion-to-master-ssh" + JoinSuffixes(src, dest)),
 				Lifecycle:     b.SecurityLifecycle,
 				SecurityGroup: dest.Task,
 				SourceGroup:   src.Task,
@ -115,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				FromPort:      fi.Int64(22),
 				ToPort:        fi.Int64(22),
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}
 	}

@ -123,7 +122,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	for _, src := range bastionGroups {
 		for _, dest := range nodeGroups {
 			t := &awstasks.SecurityGroupRule{
-				Name:          fi.String("bastion-to-node-ssh" + model.JoinSuffixes(src, dest)),
+				Name:          fi.String("bastion-to-node-ssh" + JoinSuffixes(src, dest)),
 				Lifecycle:     b.SecurityLifecycle,
 				SecurityGroup: dest.Task,
 				SourceGroup:   src.Task,
@ -131,7 +130,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				FromPort:      fi.Int64(22),
 				ToPort:        fi.Int64(22),
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}
 	}

@ -160,7 +159,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			CIDR:          fi.String("0.0.0.0/0"),
 		}

-		b.AddDirectionalGroupRule(c, t)
+		AddDirectionalGroupRule(c, t)
 	}

 	// Allow external access to ELB
@ -175,7 +174,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			ToPort:        fi.Int64(22),
 			CIDR:          fi.String(sshAccess),
 		}
-		b.AddDirectionalGroupRule(c, t)
+		AddDirectionalGroupRule(c, t)
 	}

 	var elbSubnets []*awstasks.Subnet
--- a/pkg/model/awsmodel/external_access.go
+++ b/pkg/model/awsmodel/external_access.go
@ -21,7 +21,6 @@ import (

 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
-	"k8s.io/kops/pkg/model"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
 )
@ -29,7 +28,7 @@ import (
 // ExternalAccessModelBuilder configures security group rules for external access
 // (SSHAccess, KubernetesAPIAccess)
 type ExternalAccessModelBuilder struct {
-	*model.KopsModelContext
+	*AWSModelContext
 	Lifecycle *fi.Lifecycle
 }

@ -72,7 +71,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 					ToPort:        fi.Int64(22),
 					CIDR:          fi.String(sshAccess),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}

 			for _, nodeGroup := range nodeGroups {
@ -86,7 +85,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 					ToPort:        fi.Int64(22),
 					CIDR:          fi.String(sshAccess),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 		}
 	}
@ -141,7 +140,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 					ToPort:        fi.Int64(443),
 					CIDR:          fi.String(apiAccess),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 		}
 	}
--- a/pkg/model/awsmodel/firewall.go
+++ b/pkg/model/awsmodel/firewall.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package model
+package awsmodel

 import (
 	"fmt"
@ -35,7 +35,7 @@ const (

 // FirewallModelBuilder configures firewall network objects
 type FirewallModelBuilder struct {
-	*KopsModelContext
+	*AWSModelContext
 	Lifecycle *fi.Lifecycle
 }

@ -84,7 +84,7 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) ([]Secu
 				Egress:        fi.Bool(true),
 				CIDR:          fi.String("0.0.0.0/0"),
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}

 		// Nodes can talk to nodes
@ -97,7 +97,7 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) ([]Secu
 				SecurityGroup: dest.Task,
 				SourceGroup:   src.Task,
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}

 	}
@ -167,7 +167,7 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 					ToPort:        fi.Int64(int64(r.To)),
 					Protocol:      fi.String("udp"),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 			for _, r := range tcpRanges {
 				t := &awstasks.SecurityGroupRule{
@ -179,7 +179,7 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 					ToPort:        fi.Int64(int64(r.To)),
 					Protocol:      fi.String("tcp"),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 			for _, protocol := range protocols {
 				awsName := strconv.Itoa(int(protocol))
@ -198,7 +198,7 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 					SourceGroup:   nodeGroup.Task,
 					Protocol:      fi.String(awsName),
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 		}
 	}
@ -216,7 +216,7 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 					SecurityGroup: dest.Task,
 					SourceGroup:   src.Task,
 				}
-				b.AddDirectionalGroupRule(c, t)
+				AddDirectionalGroupRule(c, t)
 			}
 		}
 	}
@ -244,7 +244,7 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeG
 				Egress:        fi.Bool(true),
 				CIDR:          fi.String("0.0.0.0/0"),
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}

 		// Masters can talk to masters
@ -257,7 +257,7 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeG
 				SecurityGroup: dest.Task,
 				SourceGroup:   src.Task,
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}

 		// Masters can talk to nodes
@ -270,7 +270,7 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeG
 				SecurityGroup: dest.Task,
 				SourceGroup:   src.Task,
 			}
-			b.AddDirectionalGroupRule(c, t)
+			AddDirectionalGroupRule(c, t)
 		}
 	}

@ -283,7 +283,7 @@ type SecurityGroupInfo struct {
 	Task   *awstasks.SecurityGroup
 }

-func (b *KopsModelContext) GetSecurityGroups(role kops.InstanceGroupRole) ([]SecurityGroupInfo, error) {
+func (b *AWSModelContext) GetSecurityGroups(role kops.InstanceGroupRole) ([]SecurityGroupInfo, error) {
 	var baseGroup *awstasks.SecurityGroup
 	if role == kops.InstanceGroupRoleMaster {
 		name := b.SecurityGroupName(role)
@ -405,7 +405,7 @@ func JoinSuffixes(src SecurityGroupInfo, dest SecurityGroupInfo) string {
 	return s + d
 }

-func (b *KopsModelContext) AddDirectionalGroupRule(c *fi.ModelBuilderContext, t *awstasks.SecurityGroupRule) {
+func AddDirectionalGroupRule(c *fi.ModelBuilderContext, t *awstasks.SecurityGroupRule) {

 	name := generateName(t)
 	t.Name = fi.String(name)
--- a/pkg/model/awsmodel/firewall_test.go
+++ b/pkg/model/awsmodel/firewall_test.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package model
+package awsmodel

 import (
 	"testing"
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -548,10 +548,10 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {

 			l.Builders = append(l.Builders,
 				&awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: &clusterLifecycle, SecurityLifecycle: &securityLifecycle},
-				&awsmodel.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: &clusterLifecycle, SecurityLifecycle: &securityLifecycle},
+				&awsmodel.BastionModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &clusterLifecycle, SecurityLifecycle: &securityLifecycle},
 				&awsmodel.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: &clusterLifecycle},
-				&awsmodel.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: &securityLifecycle},
-				&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: &securityLifecycle},
+				&awsmodel.ExternalAccessModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &securityLifecycle},
+				&awsmodel.FirewallModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &securityLifecycle},
 				&awsmodel.SSHKeyModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &securityLifecycle},
 				&awsmodel.NetworkModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &networkLifecycle},
 				&awsmodel.IAMModelBuilder{AWSModelContext: awsModelContext, Lifecycle: &securityLifecycle, Cluster: cluster},
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go
@ -18,7 +18,6 @@ package bootstrapchannelbuilder

 import (
 	"fmt"
-	"k8s.io/kops/pkg/model/awsmodel"
 	"strings"

 	"k8s.io/klog/v2"
@ -28,6 +27,7 @@ import (
 	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/kubemanifest"
 	"k8s.io/kops/pkg/model"
+	"k8s.io/kops/pkg/model/awsmodel"
 	"k8s.io/kops/pkg/model/components/addonmanifests"
 	"k8s.io/kops/pkg/model/components/addonmanifests/awsloadbalancercontroller"
 	"k8s.io/kops/pkg/model/components/addonmanifests/dnscontroller"