mirror of https://github.com/kubernetes/kops.git
GCE: For IPAlias or Custom Routes, we must recognize source by CIDR
SourceTags are not recognized when using IPAlias or custom routes (aka kubenet), so we must recognize by CIDR instead.
This commit is contained in:
justinsb
parent
be2676076c
commit
3e83b771d6
|
|
@ -89,3 +89,11 @@ func (c *GCEModelContext) NameForIPAddress(id string) string {
|
|||
func (c *GCEModelContext) NameForFirewallRule(id string) string {
|
||||
return c.SafeObjectName(id)
|
||||
}
|
||||
|
||||
func (c *GCEModelContext) NetworkingIsIPAlias() bool {
|
||||
return c.Cluster.Spec.Networking != nil && c.Cluster.Spec.Networking.GCE != nil
|
||||
}
|
||||
|
||||
func (c *GCEModelContext) NetworkingIsGCERoutes() bool {
|
||||
return c.Cluster.Spec.Networking != nil && c.Cluster.Spec.Networking.Kubenet != nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||
package gcemodel
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
|
|
@ -37,18 +38,6 @@ var _ fi.ModelBuilder = &FirewallModelBuilder{}
|
|||
func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
||||
klog.Warningf("TODO: Harmonize gcemodel with awsmodel for firewall - GCE model is way too open")
|
||||
|
||||
//// Allow all traffic from vms in our network
|
||||
//// TODO: Is this a good idea?
|
||||
//{
|
||||
// t := &gcetasks.FirewallRule{
|
||||
// Name: s(b.SafeObjectName("kubernetes-internal")),
|
||||
// Network: b.LinkToNetwork(),
|
||||
// SourceRanges: []string{b.Cluster.Spec.NetworkCIDR},
|
||||
// Allowed: []string{"tcp:1-65535", "udp:1-65535", "icmp"},
|
||||
// }
|
||||
// c.AddTask(t)
|
||||
//}
|
||||
|
||||
// Allow all traffic from nodes -> nodes
|
||||
{
|
||||
t := &gcetasks.FirewallRule{
|
||||
|
|
@ -62,19 +51,6 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
c.AddTask(t)
|
||||
}
|
||||
|
||||
if b.Cluster.Spec.NonMasqueradeCIDR != "" {
|
||||
// The traffic is not recognized if it's on the overlay network?
|
||||
klog.Warningf("Adding overlay network for X -> node rule - HACK")
|
||||
|
||||
b.AddFirewallRulesTasks(c, "cidr-to-node", &gcetasks.FirewallRule{
|
||||
Lifecycle: b.Lifecycle,
|
||||
Network: b.LinkToNetwork(),
|
||||
SourceRanges: []string{b.Cluster.Spec.NonMasqueradeCIDR},
|
||||
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
|
||||
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"},
|
||||
})
|
||||
}
|
||||
|
||||
// Allow full traffic from master -> master
|
||||
{
|
||||
t := &gcetasks.FirewallRule{
|
||||
|
|
@ -114,18 +90,23 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
c.AddTask(t)
|
||||
}
|
||||
|
||||
if b.Cluster.Spec.NonMasqueradeCIDR != "" {
|
||||
// The traffic is not recognized if it's on the overlay network?
|
||||
klog.Warningf("Adding overlay network for X -> master rule - HACK")
|
||||
if b.NetworkingIsIPAlias() || b.NetworkingIsGCERoutes() {
|
||||
// When using IP alias or custom routes, SourceTags for identifying traffic don't work, and we must recognize by CIDR
|
||||
|
||||
b.AddFirewallRulesTasks(c, "cidr-to-master", &gcetasks.FirewallRule{
|
||||
if b.Cluster.Spec.PodCIDR == "" {
|
||||
return fmt.Errorf("expected PodCIDR to be set for IPAlias / kubenet")
|
||||
}
|
||||
|
||||
c.AddTask(&gcetasks.FirewallRule{
|
||||
Name: s(b.SafeObjectName("pod-cidrs-to-node")),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Network: b.LinkToNetwork(),
|
||||
SourceRanges: []string{b.Cluster.Spec.NonMasqueradeCIDR},
|
||||
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
|
||||
Allowed: []string{"tcp:443", "tcp:4194"},
|
||||
SourceRanges: []string{b.Cluster.Spec.PodCIDR},
|
||||
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
|
||||
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"},
|
||||
})
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -266,90 +266,6 @@ resource "google_compute_disk" "d3-etcd-main-ha-gce-example-com" {
|
|||
zone = "us-test1-c"
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-ha-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-master-ha-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["ha-gce-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-ipv6-ha-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-master-ipv6-ha-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["ha-gce-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-ha-gce-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-node-ha-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["ha-gce-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-ipv6-ha-gce-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-node-ipv6-ha-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["ha-gce-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "kubernetes-master-https-ha-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
|
|
|
|||
|
|
@ -202,90 +202,6 @@ resource "google_compute_disk" "d1-etcd-main-minimal-gce-example-com" {
|
|||
zone = "us-test1-a"
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-ipv6-minimal-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-master-ipv6-minimal-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["minimal-gce-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-minimal-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-master-minimal-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["minimal-gce-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-ipv6-minimal-gce-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-node-ipv6-minimal-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["minimal-gce-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-minimal-gce-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-node-minimal-gce-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["minimal-gce-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "kubernetes-master-https-ipv6-minimal-gce-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
|
|
|
|||
|
|
@ -202,90 +202,6 @@ resource "google_compute_disk" "d1-etcd-main-minimal-gce-private-example-com" {
|
|||
zone = "us-test1-a"
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-ipv6-minimal-gce-private-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-master-ipv6-minimal-gce-private-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["minimal-gce-private-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-master-minimal-gce-private-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
ports = ["4194"]
|
||||
protocol = "tcp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-master-minimal-gce-private-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["minimal-gce-private-example-com-k8s-io-role-master"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-ipv6-minimal-gce-private-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = true
|
||||
name = "cidr-to-node-ipv6-minimal-gce-private-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["::/0"]
|
||||
target_tags = ["minimal-gce-private-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "cidr-to-node-minimal-gce-private-example-com" {
|
||||
allow {
|
||||
protocol = "tcp"
|
||||
}
|
||||
allow {
|
||||
protocol = "udp"
|
||||
}
|
||||
allow {
|
||||
protocol = "icmp"
|
||||
}
|
||||
allow {
|
||||
protocol = "esp"
|
||||
}
|
||||
allow {
|
||||
protocol = "ah"
|
||||
}
|
||||
allow {
|
||||
protocol = "sctp"
|
||||
}
|
||||
disabled = false
|
||||
name = "cidr-to-node-minimal-gce-private-example-com"
|
||||
network = google_compute_network.default.name
|
||||
source_ranges = ["100.64.0.0/10"]
|
||||
target_tags = ["minimal-gce-private-example-com-k8s-io-role-node"]
|
||||
}
|
||||
|
||||
resource "google_compute_firewall" "kubernetes-master-https-ipv6-minimal-gce-private-example-com" {
|
||||
allow {
|
||||
ports = ["443"]
|
||||
|
|
|
|||
Loading…
Reference in New Issue