kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

AWS: Enable ICMP Type 3 Code 4 for API server ELBs

This commit is contained in:
David Archer 2019-01-03 22:02:09 -05:00
parent fe074fbd30
commit 36d2282d6b
12 changed files with 115 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/model/awsmodel/api_loadbalancer.go
View File

@ -189,7 +189,9 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
// Allow traffic into the ELB from KubernetesAPIAccess CIDRs // Allow traffic into the ELB from KubernetesAPIAccess CIDRs
{ {
for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess { for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess {
t := &awstasks.SecurityGroupRule{
// Allow https traffic
c.AddTask(&awstasks.SecurityGroupRule{
Name: s("https-api-elb-" + cidr), Name: s("https-api-elb-" + cidr),
Lifecycle: b.SecurityLifecycle, Lifecycle: b.SecurityLifecycle,
@ -198,8 +200,19 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
FromPort: i64(443), FromPort: i64(443),
ToPort: i64(443), ToPort: i64(443),
Protocol: s("tcp"), Protocol: s("tcp"),
} })
c.AddTask(t)
// Allow ICMP traffic required for PMTU discovery
c.AddTask(&awstasks.SecurityGroupRule{
Name: s("icmp-pmtu-api-elb-" + cidr),
Lifecycle: b.SecurityLifecycle,
SecurityGroup: lbSG,
CIDR: s(cidr),
FromPort: i64(3),
ToPort: i64(4),
Protocol: s("icmp"),
})
} }
} }

9
tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
View File

@ -660,6 +660,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-bastionuserdata-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-bastionuserdata-example-com.id}" security_group_id = "${aws_security_group.masters-bastionuserdata-example-com.id}"

9
tests/integration/update_cluster/complex/kubernetes.tf
View File

@ -454,6 +454,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-complex-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-complex-example-com.id}" security_group_id = "${aws_security_group.masters-complex-example-com.id}"

9
tests/integration/update_cluster/existing_sg/kubernetes.tf
View File

@ -713,6 +713,15 @@ resource "aws_security_group_rule" "https-elb-to-master-sg-master-1b" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "sg-elb"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-existingsg-example-com.id}" security_group_id = "${aws_security_group.masters-existingsg-example-com.id}"

9
tests/integration/update_cluster/private-shared-subnet/kubernetes.tf
View File

@ -574,6 +574,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-private-shared-subnet-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-private-shared-subnet-example-com.id}" security_group_id = "${aws_security_group.masters-private-shared-subnet-example-com.id}"

9
tests/integration/update_cluster/privatecalico/kubernetes.tf
View File

@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privatecalico-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privatecalico-example-com.id}" security_group_id = "${aws_security_group.masters-privatecalico-example-com.id}"

9
tests/integration/update_cluster/privatecanal/kubernetes.tf
View File

@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privatecanal-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privatecanal-example-com.id}" security_group_id = "${aws_security_group.masters-privatecanal-example-com.id}"

9
tests/integration/update_cluster/privatedns1/kubernetes.tf
View File

@ -664,6 +664,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privatedns1-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privatedns1-example-com.id}" security_group_id = "${aws_security_group.masters-privatedns1-example-com.id}"

9
tests/integration/update_cluster/privatedns2/kubernetes.tf
View File

@ -644,6 +644,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privatedns2-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privatedns2-example-com.id}" security_group_id = "${aws_security_group.masters-privatedns2-example-com.id}"

9
tests/integration/update_cluster/privateflannel/kubernetes.tf
View File

@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privateflannel-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privateflannel-example-com.id}" security_group_id = "${aws_security_group.masters-privateflannel-example-com.id}"

9
tests/integration/update_cluster/privatekopeio/kubernetes.tf
View File

@ -680,6 +680,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privatekopeio-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privatekopeio-example-com.id}" security_group_id = "${aws_security_group.masters-privatekopeio-example-com.id}"

9
tests/integration/update_cluster/privateweave/kubernetes.tf
View File

@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" {
protocol = "tcp" protocol = "tcp"
} }
resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
type = "ingress"
security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
from_port = 3
to_port = 4
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "master-egress" { resource "aws_security_group_rule" "master-egress" {
type = "egress" type = "egress"
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"