kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

gce: open node->master ports for calico and cilium 

We're taking the opportunity to pursue a locked-down model, but this
means we need to open ports explicitly.
This commit is contained in:
justinsb 2021-10-25 08:16:28 -04:00
parent 59d6174eb2
commit caff7e36ad
4 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/model/BUILD.bazel generated
View File

@ -23,6 +23,7 @@ go_library(
"//pkg/apis/kops/util:go_default_library", "//pkg/apis/kops/util:go_default_library",
"//pkg/apis/kops/v1alpha2:go_default_library", "//pkg/apis/kops/v1alpha2:go_default_library",
"//pkg/apis/nodeup:go_default_library", "//pkg/apis/nodeup:go_default_library",
"//pkg/dns:go_default_library",
"//pkg/kopscodecs:go_default_library", "//pkg/kopscodecs:go_default_library",
"//pkg/model/components:go_default_library", "//pkg/model/components:go_default_library",
"//pkg/model/iam:go_default_library", "//pkg/model/iam:go_default_library",

11
pkg/model/context.go
View File

@ -24,6 +24,7 @@ import (
"k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/apis/kops/model" "k8s.io/kops/pkg/apis/kops/model"
"k8s.io/kops/pkg/apis/kops/util" "k8s.io/kops/pkg/apis/kops/util"
"k8s.io/kops/pkg/dns"
"k8s.io/kops/pkg/model/components" "k8s.io/kops/pkg/model/components"
"k8s.io/kops/pkg/model/iam" "k8s.io/kops/pkg/model/iam"
nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws" nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
@ -402,3 +403,13 @@ func (b *KopsModelContext) UseServiceAccountExternalPermissions() bool {
func (b *KopsModelContext) NetworkingIsCalico() bool { func (b *KopsModelContext) NetworkingIsCalico() bool {
return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil
} }
// NetworkingIsCilium returns true if we are using cilium networking
func (b *KopsModelContext) NetworkingIsCilium() bool {
return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Cilium != nil
}
// IsGossip returns true if we are using gossip instead of "real" DNS
func (b *KopsModelContext) IsGossip() bool {
return dns.IsGossipHostname(b.Cluster.Name)
}

10
pkg/model/gcemodel/firewall.go
View File

@ -97,6 +97,16 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort), fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
}, },
} }
if b.IsGossip() {
t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
}
if b.NetworkingIsCalico() {
t.Allowed = append(t.Allowed, "ipip")
}
if b.NetworkingIsCilium() {
t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
}
c.AddTask(t) c.AddTask(t)
} }

3
pkg/wellknownports/wellknownports.go
View File

@ -66,6 +66,9 @@ const (
// CiliumHubblePrometheusPort is the default port where Hubble exposes metrics // CiliumHubblePrometheusPort is the default port where Hubble exposes metrics
CiliumHubblePrometheusPort = 9091 CiliumHubblePrometheusPort = 9091
// VxlanUDP is the port used by VXLAN tunneling over UDP
VxlanUDP = 8472
) )
type PortRange struct { type PortRange struct {