From a52f1e7342f8bbd956387b92ec6b2c0f87267af4 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Tue, 3 Jan 2017 10:28:08 -0500
Subject: [PATCH] Security rules for calico & weave

---
 pkg/model/firewall.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go
index 98033adc1c..35c6058b88 100644
--- a/pkg/model/firewall.go
+++ b/pkg/model/firewall.go
@@ -80,6 +80,7 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) error {
 
 	udpPorts := []int64{}
 	tcpPorts := []int64{}
+	protocols := []string{}
 
 	// allow access to API
 	tcpPorts = append(tcpPorts, 443)
@@ -94,8 +95,15 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) error {
 		}
 
 		if b.Cluster.Spec.Networking.Weave != nil {
-			// VXLAN over UDP
-			udpPorts = append(udpPorts, 4789)
+			udpPorts = append(udpPorts, 6783)
+			tcpPorts = append(tcpPorts, 6783)
+			udpPorts = append(udpPorts, 6784)
+		}
+
+		if b.Cluster.Spec.Networking.Calico != nil {
+			tcpPorts = append(tcpPorts, 179)
+			// Protocol 4 is IPIP
+			protocols = append(protocols, "4")
 		}
 	}
 
@@ -119,6 +127,14 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) error {
 			Protocol:      s("tcp"),
 		})
 	}
+	for _, protocol := range protocols {
+		c.AddTask(&awstasks.SecurityGroupRule{
+			Name:          s(fmt.Sprintf("node-to-master-protocol-%s", protocol)),
+			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
+			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
+			Protocol:      s(protocol),
+		})
+	}
 
 	return nil
 }