gce: open node->master ports for calico and cilium

We're taking the opportunity to pursue a locked-down model, but this means we need to open ports explicitly.
2021-10-25 08:16:28 -04:00 · 2021-10-25 08:16:28 -04:00 · caff7e36ad
parent 59d6174eb2
commit caff7e36ad
4 changed files with 25 additions and 0 deletions
--- a/pkg/model/BUILD.bazel
+++ b/pkg/model/BUILD.bazel
@ -23,6 +23,7 @@ go_library(
        "//pkg/apis/kops/util:go_default_library",
        "//pkg/apis/kops/v1alpha2:go_default_library",
        "//pkg/apis/nodeup:go_default_library",
+        "//pkg/dns:go_default_library",
        "//pkg/kopscodecs:go_default_library",
        "//pkg/model/components:go_default_library",
        "//pkg/model/iam:go_default_library",
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@ -24,6 +24,7 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
 	"k8s.io/kops/pkg/apis/kops/util"
+	"k8s.io/kops/pkg/dns"
 	"k8s.io/kops/pkg/model/components"
 	"k8s.io/kops/pkg/model/iam"
 	nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
@ -402,3 +403,13 @@ func (b *KopsModelContext) UseServiceAccountExternalPermissions() bool {
 func (b *KopsModelContext) NetworkingIsCalico() bool {
 	return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil
 }
+
+// NetworkingIsCilium returns true if we are using cilium networking
+func (b *KopsModelContext) NetworkingIsCilium() bool {
+	return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Cilium != nil
+}
+
+// IsGossip returns true if we are using gossip instead of "real" DNS
+func (b *KopsModelContext) IsGossip() bool {
+	return dns.IsGossipHostname(b.Cluster.Name)
+}
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@ -97,6 +97,16 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
 			},
 		}
+		if b.IsGossip() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
+		}
+		if b.NetworkingIsCalico() {
+			t.Allowed = append(t.Allowed, "ipip")
+		}
+		if b.NetworkingIsCilium() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
+		}
 		c.AddTask(t)
 	}

--- a/pkg/wellknownports/wellknownports.go
+++ b/pkg/wellknownports/wellknownports.go
@ -66,6 +66,9 @@ const (

 	// CiliumHubblePrometheusPort is the default port where Hubble exposes metrics
 	CiliumHubblePrometheusPort = 9091
+
+	// VxlanUDP is the port used by VXLAN tunneling over UDP
+	VxlanUDP = 8472
 )

 type PortRange struct {