diff --git a/pkg/model/gcemodel/api_loadbalancer.go b/pkg/model/gcemodel/api_loadbalancer.go index 90f75a9f3d..dccb86a86b 100644 --- a/pkg/model/gcemodel/api_loadbalancer.go +++ b/pkg/model/gcemodel/api_loadbalancer.go @@ -38,7 +38,7 @@ var _ fi.CloudupModelBuilder = &APILoadBalancerBuilder{} // createPublicLB validates the existence of a target pool with the given name, // and creates an IP address and forwarding rule pointing to that target pool. -func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error { +func (b *APILoadBalancerBuilder) createPublicLB(c *fi.CloudupModelBuilderContext) error { healthCheck := &gcetasks.HTTPHealthcheck{ Name: s(b.NameForHealthcheck("api")), Port: i64(wellknownports.KubeAPIServerHealthCheck), @@ -89,6 +89,10 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) }) } + return b.addFirewallRules(c) +} + +func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderContext) error { // Allow traffic into the API from KubernetesAPIAccess CIDRs { network, err := b.LinkToNetwork() @@ -132,7 +136,7 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) // createInternalLB creates an internal load balancer for the cluster. In // GCP this entails creating a health check, backend service, and one forwarding rule // per specified subnet pointing to that backend service. -func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error { +func (b *APILoadBalancerBuilder) createInternalLB(c *fi.CloudupModelBuilderContext) error { hc := &gcetasks.HealthCheck{ Name: s(b.NameForHealthCheck("api")), Port: wellknownports.KubeAPIServer, @@ -215,8 +219,7 @@ func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContex }) } } - - return nil + return b.addFirewallRules(c) } func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { @@ -232,10 +235,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { switch lbSpec.Type { case kops.LoadBalancerTypePublic: - return createPublicLB(b, c) + return b.createPublicLB(c) case kops.LoadBalancerTypeInternal: - return createInternalLB(b, c) + return b.createInternalLB(c) default: return fmt.Errorf("unhandled LoadBalancer type %q", lbSpec.Type) diff --git a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf index 62fd945108..84fb864b44 100644 --- a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf +++ b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf @@ -211,6 +211,54 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-example-com" { zone = "us-test1-a" } +resource "google_compute_firewall" "https-api-ipv6-minimal-gce-example-com" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-ipv6-minimal-gce-example-com" + network = google_compute_network.minimal-gce-example-com.name + source_ranges = ["::/0"] + target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"] +} + +resource "google_compute_firewall" "https-api-minimal-gce-example-com" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-minimal-gce-example-com" + network = google_compute_network.minimal-gce-example-com.name + source_ranges = ["0.0.0.0/0"] + target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"] +} + +resource "google_compute_firewall" "kops-controller-ipv6-minimal-gce-example-com" { + allow { + ports = ["3988"] + protocol = "tcp" + } + disabled = false + name = "kops-controller-ipv6-minimal-gce-example-com" + network = google_compute_network.minimal-gce-example-com.name + source_ranges = ["::/0"] + target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"] +} + +resource "google_compute_firewall" "kops-controller-minimal-gce-example-com" { + allow { + ports = ["3988"] + protocol = "tcp" + } + disabled = false + name = "kops-controller-minimal-gce-example-com" + network = google_compute_network.minimal-gce-example-com.name + source_ranges = ["0.0.0.0/0"] + target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"] +} + resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" { allow { protocol = "tcp" diff --git a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf index aeb6d4eaae..c06d434e18 100644 --- a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf +++ b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf @@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-ilb-example-com" { zone = "us-test1-a" } +resource "google_compute_firewall" "https-api-ipv6-minimal-gce-ilb-example-com" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-ipv6-minimal-gce-ilb-example-com" + network = google_compute_network.minimal-gce-ilb-example-com.name + source_ranges = ["::/0"] + target_tags = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"] +} + +resource "google_compute_firewall" "https-api-minimal-gce-ilb-example-com" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-minimal-gce-ilb-example-com" + network = google_compute_network.minimal-gce-ilb-example-com.name + source_ranges = ["0.0.0.0/0"] + target_tags = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"] +} + resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com" { allow { protocol = "tcp" diff --git a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf index 8f29e87b1d..b6be195dff 100644 --- a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf +++ b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf @@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-with-a-very-very-very-ve zone = "us-test1-a" } +resource "google_compute_firewall" "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi" + network = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name + source_ranges = ["::/0"] + target_tags = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"] +} + +resource "google_compute_firewall" "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi" { + allow { + ports = ["443"] + protocol = "tcp" + } + disabled = false + name = "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi" + network = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name + source_ranges = ["0.0.0.0/0"] + target_tags = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"] +} + resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi" { allow { protocol = "tcp"