Use SG to SG rule for cni tcp/udp rules

2020-08-07 09:26:31 +02:00 · 2020-08-07 09:26:31 +02:00 · 84d2dcb624
parent c5ddd3885c
commit 84d2dcb624
1 changed files with 23 additions and 20 deletions
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@ -369,8 +369,8 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 		}
 		if b.Cluster.Spec.Networking.Cilium != nil {
-			udpPorts = append(udpPorts, 4789)
+			udpPorts = append(udpPorts, 8472)
-			tcpPorts = append(udpPorts, 4240)
+			tcpPorts = append(tcpPorts, 4240)
 		}
 		if b.Cluster.Spec.Networking.Weave != nil {
@ -407,30 +407,33 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 	for _, udpPort := range udpPorts {
 		udpRule := &openstacktasks.SecurityGroupRule{
-			Lifecycle:      b.Lifecycle,
+			Lifecycle:    b.Lifecycle,
-			Direction:      s(string(rules.DirIngress)),
+			Direction:    s(string(rules.DirIngress)),
-			Protocol:       s(string(rules.ProtocolUDP)),
+			Protocol:     s(string(rules.ProtocolUDP)),
-			EtherType:      s(string(rules.EtherType4)),
+			EtherType:    s(string(rules.EtherType4)),
-			PortRangeMin:   i(udpPort),
+			PortRangeMin: i(udpPort),
-			PortRangeMax:   i(udpPort),
+			PortRangeMax: i(udpPort),
 			RemoteIPPrefix: s(b.Cluster.Spec.NetworkCIDR),
 		}
-		addDirectionalGroupRule(c, masterSG, nil, udpRule)
+		addDirectionalGroupRule(c, masterSG, masterSG, udpRule)
-		addDirectionalGroupRule(c, nodeSG, nil, udpRule)
+		addDirectionalGroupRule(c, nodeSG, masterSG, udpRule)
 		addDirectionalGroupRule(c, masterSG, nodeSG, udpRule)
 		addDirectionalGroupRule(c, nodeSG, nodeSG, udpRule)
 	}
 	for _, tcpPort := range tcpPorts {
 		tcpRule := &openstacktasks.SecurityGroupRule{
-			Lifecycle:      b.Lifecycle,
+			Lifecycle:    b.Lifecycle,
-			Direction:      s(string(rules.DirIngress)),
+			Direction:    s(string(rules.DirIngress)),
-			Protocol:       s(string(rules.ProtocolTCP)),
+			Protocol:     s(string(rules.ProtocolTCP)),
-			EtherType:      s(string(rules.EtherType4)),
+			EtherType:    s(string(rules.EtherType4)),
-			PortRangeMin:   i(tcpPort),
+			PortRangeMin: i(tcpPort),
-			PortRangeMax:   i(tcpPort),
+			PortRangeMax: i(tcpPort),
 			RemoteIPPrefix: s(b.Cluster.Spec.NetworkCIDR),
 		}
-		addDirectionalGroupRule(c, masterSG, nil, tcpRule)
+		addDirectionalGroupRule(c, masterSG, masterSG, tcpRule)
-		addDirectionalGroupRule(c, nodeSG, nil, tcpRule)
+		addDirectionalGroupRule(c, nodeSG, masterSG, tcpRule)
 		addDirectionalGroupRule(c, masterSG, nodeSG, tcpRule)
 		addDirectionalGroupRule(c, nodeSG, nodeSG, tcpRule)
 	}
 	for _, protocol := range protocols {
 		protocolRule := &openstacktasks.SecurityGroupRule{
 			Lifecycle: b.Lifecycle,