Don't use ELB DNS name for internal ELBs

We introduced some new heuristics in #3941 that meant we would access
private DNS names via the ELB's name, just as we do with gossip names.

But it's also possible to set up a VPN or DirectConnect and access a
private HostedZone directly, and in this case we don't want to use the
ELB DNS Name.  We recognize this case because the ELB can be set to
Internal (and probably should be, for minimal attack surface!)

We'll probably have to introduce a field for this, but hopefully this
heuristic is sufficient to unblock the release.
This commit is contained in:
Justin Santa Barbara 2018-03-21 20:12:15 -04:00
parent bc56319d35
commit 45bc6a559d
1 changed files with 19 additions and 2 deletions

View File

@ -35,9 +35,26 @@ func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.Se
}
server := "https://" + master
topology := cluster.Spec.Topology
if dns.IsGossipHostname(master) || topology.DNS.Type == kops.DNSTypePrivate {
// We use the LoadBalancer where we know the master DNS name is otherwise unreachable
useELBName := false
// If the master DNS is a gossip DNS name; there's no way that name can resolve outside the cluster
if dns.IsGossipHostname(master) {
useELBName = true
}
// If the DNS is set up as a private HostedZone, but here we have to be
// careful that we aren't accessing the API over DirectConnect (or a VPN).
// We differentiate using the heuristic that if we have an internal ELB
// we are likely connected directly to the VPC.
privateDNS := cluster.Spec.Topology != nil && cluster.Spec.Topology.DNS.Type == kops.DNSTypePrivate
internalELB := cluster.Spec.API != nil && cluster.Spec.API.LoadBalancer != nil && cluster.Spec.API.LoadBalancer.Type == kops.LoadBalancerTypeInternal
if privateDNS && !internalELB {
useELBName = true
}
if useELBName {
ingresses, err := status.GetApiIngressStatus(cluster)
if err != nil {
return nil, fmt.Errorf("error getting ingress status: %v", err)