From 45bc6a559dd936c5832f472106545b318fe0c524 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Wed, 21 Mar 2018 20:12:15 -0400 Subject: [PATCH] Don't use ELB DNS name for internal ELBs We introduced some new heuristics in #3941 that meant we would access private DNS names via the ELB's name, just as we do with gossip names. But it's also possible to set up a VPN or DirectConnect and access a private HostedZone directly, and in this case we don't want to use the ELB DNS Name. We recognize this case because the ELB can be set to Internal (and probably should be, for minimal attack surface!) We'll probably have to introduce a field for this, but hopefully this heuristic is sufficient to unblock the release. --- pkg/kubeconfig/create_kubecfg.go | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/pkg/kubeconfig/create_kubecfg.go b/pkg/kubeconfig/create_kubecfg.go index 2f0c15bf44..f0fe516562 100644 --- a/pkg/kubeconfig/create_kubecfg.go +++ b/pkg/kubeconfig/create_kubecfg.go @@ -35,9 +35,26 @@ func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.Se } server := "https://" + master - topology := cluster.Spec.Topology - if dns.IsGossipHostname(master) || topology.DNS.Type == kops.DNSTypePrivate { + // We use the LoadBalancer where we know the master DNS name is otherwise unreachable + useELBName := false + + // If the master DNS is a gossip DNS name; there's no way that name can resolve outside the cluster + if dns.IsGossipHostname(master) { + useELBName = true + } + + // If the DNS is set up as a private HostedZone, but here we have to be + // careful that we aren't accessing the API over DirectConnect (or a VPN). + // We differentiate using the heuristic that if we have an internal ELB + // we are likely connected directly to the VPC. + privateDNS := cluster.Spec.Topology != nil && cluster.Spec.Topology.DNS.Type == kops.DNSTypePrivate + internalELB := cluster.Spec.API != nil && cluster.Spec.API.LoadBalancer != nil && cluster.Spec.API.LoadBalancer.Type == kops.LoadBalancerTypeInternal + if privateDNS && !internalELB { + useELBName = true + } + + if useELBName { ingresses, err := status.GetApiIngressStatus(cluster) if err != nil { return nil, fmt.Errorf("error getting ingress status: %v", err)