kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

We need to create the cross-product of rules for SG overrides 

e.g. each master SGs need to be configured to talk to each master SG
This commit is contained in:
Justin Santa Barbara 2018-10-02 11:07:53 -07:00
parent 1f2a8042b5
commit 1906bcdf5d
2 changed files with 116 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
pkg/model/firewall.go
View File

@ -69,14 +69,13 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) ([]Secu
return nil, err
}
for _, nodeGroup := range nodeGroups {
suffix := nodeGroup.Suffix
for _, src := range nodeGroups {
// Allow full egress
{
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("node-egress%s", suffix)),
Name: s("node-egress" + src.Suffix),
Lifecycle: b.Lifecycle,
SecurityGroup: nodeGroup.Task,
SecurityGroup: src.Task,
Egress: fi.Bool(true),
CIDR: s("0.0.0.0/0"),
}
@ -84,12 +83,14 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) ([]Secu
}
// Nodes can talk to nodes
{
for _, dest := range nodeGroups {
suffix := JoinSuffixes(src, dest)
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("all-node-to-node%s", suffix)),
Name: s("all-node-to-node" + suffix),
Lifecycle: b.Lifecycle,
SecurityGroup: nodeGroup.Task,
SourceGroup: nodeGroup.Task,
SecurityGroup: dest.Task,
SourceGroup: src.Task,
}
c.AddTask(t)
}
@ -99,7 +100,7 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) ([]Secu
// Nodes can talk to masters
{
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("all-nodes-to-master%s", suffix)),
Name: s(fmt.Sprintf("all-nodes-to-master%s", src.Suffix)),
Lifecycle: b.Lifecycle,
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
@ -352,14 +353,13 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeG
return nil, err
}
for _, masterGroup := range masterGroups {
masterSuffix := masterGroup.Suffix
for _, src := range masterGroups {
// Allow full egress
{
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("master-egress%s", masterSuffix)),
Name: s("master-egress" + src.Suffix),
Lifecycle: b.Lifecycle,
SecurityGroup: masterGroup.Task,
SecurityGroup: src.Task,
Egress: fi.Bool(true),
CIDR: s("0.0.0.0/0"),
}
@ -367,28 +367,29 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeG
}
// Masters can talk to masters
{
for _, dest := range masterGroups {
suffix := JoinSuffixes(src, dest)
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("all-master-to-master%s", masterSuffix)),
Name: s("all-master-to-master" + suffix),
Lifecycle: b.Lifecycle,
SecurityGroup: masterGroup.Task,
SourceGroup: masterGroup.Task,
SecurityGroup: dest.Task,
SourceGroup: src.Task,
}
c.AddTask(t)
}
for _, nodeGroup := range nodeGroups {
nodeSuffix := masterSuffix + nodeGroup.Suffix
// Masters can talk to nodes
{
t := &awstasks.SecurityGroupRule{
Name: s(fmt.Sprintf("all-master-to-node%s", nodeSuffix)),
Lifecycle: b.Lifecycle,
SecurityGroup: nodeGroup.Task,
SourceGroup: masterGroup.Task,
}
c.AddTask(t)
// Masters can talk to nodes
for _, dest := range nodeGroups {
suffix := JoinSuffixes(src, dest)
t := &awstasks.SecurityGroupRule{
Name: s("all-master-to-node" + suffix),
Lifecycle: b.Lifecycle,
SecurityGroup: dest.Task,
SourceGroup: src.Task,
}
c.AddTask(t)
}
}
@ -509,3 +510,24 @@ func (b *KopsModelContext) createSecurityGroups(role kops.InstanceGroupRole, lif
return groups, nil
}
// JoinSuffixes constructs a suffix for traffic from the src to the dest group
// We have to avoid ambiguity in the case where one has a suffix and the other does not,
// where normally l.Suffix + r.Suffix would equal r.Suffix + l.Suffix
func JoinSuffixes(src SecurityGroupInfo, dest SecurityGroupInfo) string {
if src.Suffix == "" && dest.Suffix == "" {
return ""
}
s := src.Suffix
if s == "" {
s = "-default"
}
d := dest.Suffix
if d == "" {
d = "-default"
}
return s + d
}

78
tests/integration/update_cluster/existing_sg/kubernetes.tf
View File

@ -560,7 +560,34 @@ resource "aws_security_group_rule" "all-master-to-master" {
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1a" {
resource "aws_security_group_rule" "all-master-to-master-default-sg-master-1a" {
type = "ingress"
security_group_id = "sg-master-1a"
source_security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-default-sg-master-1b" {
type = "ingress"
security_group_id = "sg-master-1b"
source_security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1a-default" {
type = "ingress"
security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
source_security_group_id = "sg-master-1a"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1a-sg-master-1a" {
type = "ingress"
security_group_id = "sg-master-1a"
source_security_group_id = "sg-master-1a"
@ -569,7 +596,34 @@ resource "aws_security_group_rule" "all-master-to-master-sg-master-1a" {
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1b" {
resource "aws_security_group_rule" "all-master-to-master-sg-master-1a-sg-master-1b" {
type = "ingress"
security_group_id = "sg-master-1b"
source_security_group_id = "sg-master-1a"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1b-default" {
type = "ingress"
security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
source_security_group_id = "sg-master-1b"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1b-sg-master-1a" {
type = "ingress"
security_group_id = "sg-master-1a"
source_security_group_id = "sg-master-1b"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-master-sg-master-1b-sg-master-1b" {
type = "ingress"
security_group_id = "sg-master-1b"
source_security_group_id = "sg-master-1b"
@ -578,6 +632,15 @@ resource "aws_security_group_rule" "all-master-to-master-sg-master-1b" {
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-node-default-sg-nodes" {
type = "ingress"
security_group_id = "sg-nodes"
source_security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-node-sg-master-1a-sg-nodes" {
type = "ingress"
security_group_id = "sg-nodes"
@ -596,16 +659,7 @@ resource "aws_security_group_rule" "all-master-to-node-sg-master-1b-sg-nodes" {
protocol = "-1"
}
resource "aws_security_group_rule" "all-master-to-node-sg-nodes" {
type = "ingress"
security_group_id = "sg-nodes"
source_security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"
from_port = 0
to_port = 0
protocol = "-1"
}
resource "aws_security_group_rule" "all-node-to-node-sg-nodes" {
resource "aws_security_group_rule" "all-node-to-node-sg-nodes-sg-nodes" {
type = "ingress"
security_group_id = "sg-nodes"
source_security_group_id = "sg-nodes"