kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

GCE: Set firewall rules for Internal LBs also 

It seems we can use the exact same rules.
This commit is contained in:
justinsb 2023-07-09 19:01:58 -04:00
parent 114ac311c1
commit 3613f586c8
4 changed files with 105 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/model/gcemodel/api_loadbalancer.go
View File

@ -38,7 +38,7 @@ var _ fi.CloudupModelBuilder = &APILoadBalancerBuilder{}
// createPublicLB validates the existence of a target pool with the given name, // createPublicLB validates the existence of a target pool with the given name,
// and creates an IP address and forwarding rule pointing to that target pool. // and creates an IP address and forwarding rule pointing to that target pool.
func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error { func (b *APILoadBalancerBuilder) createPublicLB(c *fi.CloudupModelBuilderContext) error {
healthCheck := &gcetasks.HTTPHealthcheck{ healthCheck := &gcetasks.HTTPHealthcheck{
Name: s(b.NameForHealthcheck("api")), Name: s(b.NameForHealthcheck("api")),
Port: i64(wellknownports.KubeAPIServerHealthCheck), Port: i64(wellknownports.KubeAPIServerHealthCheck),
@ -89,6 +89,10 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
}) })
} }
return b.addFirewallRules(c)
}
func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderContext) error {
// Allow traffic into the API from KubernetesAPIAccess CIDRs // Allow traffic into the API from KubernetesAPIAccess CIDRs
{ {
network, err := b.LinkToNetwork() network, err := b.LinkToNetwork()
@ -132,7 +136,7 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
// createInternalLB creates an internal load balancer for the cluster. In // createInternalLB creates an internal load balancer for the cluster. In
// GCP this entails creating a health check, backend service, and one forwarding rule // GCP this entails creating a health check, backend service, and one forwarding rule
// per specified subnet pointing to that backend service. // per specified subnet pointing to that backend service.
func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error { func (b *APILoadBalancerBuilder) createInternalLB(c *fi.CloudupModelBuilderContext) error {
hc := &gcetasks.HealthCheck{ hc := &gcetasks.HealthCheck{
Name: s(b.NameForHealthCheck("api")), Name: s(b.NameForHealthCheck("api")),
Port: wellknownports.KubeAPIServer, Port: wellknownports.KubeAPIServer,
@ -215,8 +219,7 @@ func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContex
}) })
} }
} }
return b.addFirewallRules(c)
return nil
} }
func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
@ -232,10 +235,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
switch lbSpec.Type { switch lbSpec.Type {
case kops.LoadBalancerTypePublic: case kops.LoadBalancerTypePublic:
return createPublicLB(b, c) return b.createPublicLB(c)
case kops.LoadBalancerTypeInternal: case kops.LoadBalancerTypeInternal:
return createInternalLB(b, c) return b.createInternalLB(c)
default: default:
return fmt.Errorf("unhandled LoadBalancer type %q", lbSpec.Type) return fmt.Errorf("unhandled LoadBalancer type %q", lbSpec.Type)

48
tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
View File

@ -211,6 +211,54 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-example-com" {
zone = "us-test1-a" zone = "us-test1-a"
} }
resource "google_compute_firewall" "https-api-ipv6-minimal-gce-example-com" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-ipv6-minimal-gce-example-com"
network = google_compute_network.minimal-gce-example-com.name
source_ranges = ["::/0"]
target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "https-api-minimal-gce-example-com" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-minimal-gce-example-com"
network = google_compute_network.minimal-gce-example-com.name
source_ranges = ["0.0.0.0/0"]
target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "kops-controller-ipv6-minimal-gce-example-com" {
allow {
ports = ["3988"]
protocol = "tcp"
}
disabled = false
name = "kops-controller-ipv6-minimal-gce-example-com"
network = google_compute_network.minimal-gce-example-com.name
source_ranges = ["::/0"]
target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "kops-controller-minimal-gce-example-com" {
allow {
ports = ["3988"]
protocol = "tcp"
}
disabled = false
name = "kops-controller-minimal-gce-example-com"
network = google_compute_network.minimal-gce-example-com.name
source_ranges = ["0.0.0.0/0"]
target_tags = ["minimal-gce-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" { resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" {
allow { allow {
protocol = "tcp" protocol = "tcp"

24
tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
View File

@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-ilb-example-com" {
zone = "us-test1-a" zone = "us-test1-a"
} }
resource "google_compute_firewall" "https-api-ipv6-minimal-gce-ilb-example-com" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-ipv6-minimal-gce-ilb-example-com"
network = google_compute_network.minimal-gce-ilb-example-com.name
source_ranges = ["::/0"]
target_tags = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "https-api-minimal-gce-ilb-example-com" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-minimal-gce-ilb-example-com"
network = google_compute_network.minimal-gce-ilb-example-com.name
source_ranges = ["0.0.0.0/0"]
target_tags = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com" { resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com" {
allow { allow {
protocol = "tcp" protocol = "tcp"

24
tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
View File

@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-with-a-very-very-very-ve
zone = "us-test1-a" zone = "us-test1-a"
} }
resource "google_compute_firewall" "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi"
network = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
source_ranges = ["::/0"]
target_tags = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi" {
allow {
ports = ["443"]
protocol = "tcp"
}
disabled = false
name = "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi"
network = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
source_ranges = ["0.0.0.0/0"]
target_tags = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
}
resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi" { resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi" {
allow { allow {
protocol = "tcp" protocol = "tcp"