From 4557f9b655b052f3836c1f508f8bb4d117ff1a68 Mon Sep 17 00:00:00 2001 From: justinsb Date: Sat, 23 Sep 2023 08:39:30 -0400 Subject: [PATCH] gce ipv6: we can use network tags with ipv6 addresses These work with IPv6, and this means we don't need to set up the (more fragile) CIDR based rules. --- pkg/model/gcemodel/firewall.go | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go index 3843eb743c..8fe8f8f19c 100644 --- a/pkg/model/gcemodel/firewall.go +++ b/pkg/model/gcemodel/firewall.go @@ -156,23 +156,27 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error { } if b.NetworkingIsIPAlias() || b.NetworkingIsGCERoutes() { - // When using IP alias or custom routes, SourceTags for identifying traffic don't work, and we must recognize by CIDR + if b.IsIPv6Only() { + // We can use tags for IPv6, and this is covered by prior rules + } else { + // When using IP alias or custom routes, SourceTags for identifying traffic don't work, and we must recognize by CIDR - if b.Cluster.Spec.Networking.PodCIDR == "" { - return fmt.Errorf("expected PodCIDR to be set for IPAlias / kubenet") - } + if b.Cluster.Spec.Networking.PodCIDR == "" { + return fmt.Errorf("expected PodCIDR to be set for IPAlias / kubenet") + } - network, err := b.LinkToNetwork() - if err != nil { - return err + network, err := b.LinkToNetwork() + if err != nil { + return err + } + b.AddFirewallRulesTasks(c, "pod-cidrs-to-node", &gcetasks.FirewallRule{ + Lifecycle: b.Lifecycle, + Network: network, + SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR}, + TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, + Allowed: allProtocols, + }) } - b.AddFirewallRulesTasks(c, "pod-cidrs-to-node", &gcetasks.FirewallRule{ - Lifecycle: b.Lifecycle, - Network: network, - SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR}, - TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, - Allowed: allProtocols, - }) } return nil