From caff7e36adfb65741512d8db4ece5db709bda2a1 Mon Sep 17 00:00:00 2001
From: justinsb <justinsb@google.com>
Date: Mon, 25 Oct 2021 08:16:28 -0400
Subject: [PATCH] gce: open node->master ports for calico and cilium

We're taking the opportunity to pursue a locked-down model, but this
means we need to open ports explicitly.
---
 pkg/model/BUILD.bazel                |  1 +
 pkg/model/context.go                 | 11 +++++++++++
 pkg/model/gcemodel/firewall.go       | 10 ++++++++++
 pkg/wellknownports/wellknownports.go |  3 +++
 4 files changed, 25 insertions(+)

diff --git a/pkg/model/BUILD.bazel b/pkg/model/BUILD.bazel
index fb6773304a..229ae54a10 100644
--- a/pkg/model/BUILD.bazel
+++ b/pkg/model/BUILD.bazel
@@ -23,6 +23,7 @@ go_library(
         "//pkg/apis/kops/util:go_default_library",
         "//pkg/apis/kops/v1alpha2:go_default_library",
         "//pkg/apis/nodeup:go_default_library",
+        "//pkg/dns:go_default_library",
         "//pkg/kopscodecs:go_default_library",
         "//pkg/model/components:go_default_library",
         "//pkg/model/iam:go_default_library",
diff --git a/pkg/model/context.go b/pkg/model/context.go
index 8f0c0b88d8..1d590273b1 100644
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
 	"k8s.io/kops/pkg/apis/kops/util"
+	"k8s.io/kops/pkg/dns"
 	"k8s.io/kops/pkg/model/components"
 	"k8s.io/kops/pkg/model/iam"
 	nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
@@ -402,3 +403,13 @@ func (b *KopsModelContext) UseServiceAccountExternalPermissions() bool {
 func (b *KopsModelContext) NetworkingIsCalico() bool {
 	return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil
 }
+
+// NetworkingIsCilium returns true if we are using cilium networking
+func (b *KopsModelContext) NetworkingIsCilium() bool {
+	return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Cilium != nil
+}
+
+// IsGossip returns true if we are using gossip instead of "real" DNS
+func (b *KopsModelContext) IsGossip() bool {
+	return dns.IsGossipHostname(b.Cluster.Name)
+}
diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go
index 468ee17ab9..c4d4ec3851 100644
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@@ -97,6 +97,16 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
 			},
 		}
+		if b.IsGossip() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
+		}
+		if b.NetworkingIsCalico() {
+			t.Allowed = append(t.Allowed, "ipip")
+		}
+		if b.NetworkingIsCilium() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
+		}
 		c.AddTask(t)
 	}
 
diff --git a/pkg/wellknownports/wellknownports.go b/pkg/wellknownports/wellknownports.go
index df52b5b5ff..f1ef82a7b9 100644
--- a/pkg/wellknownports/wellknownports.go
+++ b/pkg/wellknownports/wellknownports.go
@@ -66,6 +66,9 @@ const (
 
 	// CiliumHubblePrometheusPort is the default port where Hubble exposes metrics
 	CiliumHubblePrometheusPort = 9091
+
+	// VxlanUDP is the port used by VXLAN tunneling over UDP
+	VxlanUDP = 8472
 )
 
 type PortRange struct {