Merge pull request #15955 from justinsb/gce_network_tags_work_with_ipv6

gce ipv6: we can use network tags with ipv6 addresses
2023-09-23 12:52:55 -07:00 · 2023-09-23 12:52:55 -07:00 · d82d574dbe
parent c30f1827ae 4557f9b655
commit d82d574dbe
1 changed files with 18 additions and 14 deletions
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@ -156,23 +156,27 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 	}

 	if b.NetworkingIsIPAlias() || b.NetworkingIsGCERoutes() {
-		// When using IP alias or custom routes, SourceTags for identifying traffic don't work, and we must recognize by CIDR
+		if b.IsIPv6Only() {
+			// We can use tags for IPv6, and this is covered by prior rules
+		} else {
+			// When using IP alias or custom routes, SourceTags for identifying traffic don't work, and we must recognize by CIDR

-		if b.Cluster.Spec.Networking.PodCIDR == "" {
-			return fmt.Errorf("expected PodCIDR to be set for IPAlias / kubenet")
-		}
+			if b.Cluster.Spec.Networking.PodCIDR == "" {
+				return fmt.Errorf("expected PodCIDR to be set for IPAlias / kubenet")
+			}

-		network, err := b.LinkToNetwork()
-		if err != nil {
-			return err
+			network, err := b.LinkToNetwork()
+			if err != nil {
+				return err
+			}
+			b.AddFirewallRulesTasks(c, "pod-cidrs-to-node", &gcetasks.FirewallRule{
+				Lifecycle:    b.Lifecycle,
+				Network:      network,
+				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
+				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
+				Allowed:      allProtocols,
+			})
 		}
-		b.AddFirewallRulesTasks(c, "pod-cidrs-to-node", &gcetasks.FirewallRule{
-			Lifecycle:    b.Lifecycle,
-			Network:      network,
-			SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
-			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:      allProtocols,
-		})
 	}

 	return nil