kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

GCE: When using calico, need to open up ipip protocol 

We need to open up the ipip protocol, which wasn't previously enabled.

Future work could construct the firewall rules in a common library,
and then adapt them to the various clouds.
This commit is contained in:
justinsb 2021-09-19 21:23:07 -04:00
parent 6be5fa97d3
commit e2f7895700
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/model/context.go
View File

@ -408,3 +408,8 @@ func (b *KopsModelContext) UseServiceAccountExternalPermissions() bool {
return b.Cluster.Spec.IAM != nil && return b.Cluster.Spec.IAM != nil &&
fi.BoolValue(b.Cluster.Spec.IAM.UseServiceAccountExternalPermissions) fi.BoolValue(b.Cluster.Spec.IAM.UseServiceAccountExternalPermissions)
} }
// NetworkingIsCalico returns true if we are using calico networking
func (b *KopsModelContext) NetworkingIsCalico() bool {
return b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil
}

14
pkg/model/gcemodel/firewall.go
View File

@ -38,6 +38,12 @@ var _ fi.ModelBuilder = &FirewallModelBuilder{}
func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error { func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
klog.Warningf("TODO: Harmonize gcemodel with awsmodel for firewall - GCE model is way too open") klog.Warningf("TODO: Harmonize gcemodel with awsmodel for firewall - GCE model is way too open")
allProtocols := []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"}
if b.NetworkingIsCalico() {
allProtocols = append(allProtocols, "ipip")
}
// Allow all traffic from nodes -> nodes // Allow all traffic from nodes -> nodes
{ {
t := &gcetasks.FirewallRule{ t := &gcetasks.FirewallRule{
@ -46,7 +52,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
Network: b.LinkToNetwork(), Network: b.LinkToNetwork(),
SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"}, Allowed: allProtocols,
} }
c.AddTask(t) c.AddTask(t)
} }
@ -59,7 +65,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
Network: b.LinkToNetwork(), Network: b.LinkToNetwork(),
SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)}, SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)}, TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"}, Allowed: allProtocols,
} }
c.AddTask(t) c.AddTask(t)
} }
@ -72,7 +78,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
Network: b.LinkToNetwork(), Network: b.LinkToNetwork(),
SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)}, SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"}, Allowed: allProtocols,
} }
c.AddTask(t) c.AddTask(t)
} }
@ -103,7 +109,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
Network: b.LinkToNetwork(), Network: b.LinkToNetwork(),
SourceRanges: []string{b.Cluster.Spec.PodCIDR}, SourceRanges: []string{b.Cluster.Spec.PodCIDR},
TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)}, TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
Allowed: []string{"tcp", "udp", "icmp", "esp", "ah", "sctp"}, Allowed: allProtocols,
}) })
} }