kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8921 from nvanheuverzwijn/bastion-additionnalSGs 

Bastion additionnal s gs
This commit is contained in:
Kubernetes Prow Robot 2020-04-16 09:36:46 -07:00 committed by GitHub
parent 33c7e22207 bcb141ab74
commit ea3e974d81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 152 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/bastion.md
View File

@ -73,6 +73,19 @@ spec:
bastionPublicName: bastion.mycluster.example.com
```
### Additional security groups to ELB
If you want to add security groups to the bastion ELB
```yaml
spec:
topology:
bastion:
bastionPublicName: bastion.mycluster.example.com
loadBalancer:
additionalSecurityGroups:
- "sg-***"
```
### Access when using gossip (k8s.local)
When using gossip mode, there is no DNS zone where we can configure a

7
k8s/crds/kops.k8s.io_clusters.yaml
View File

@ -3419,6 +3419,13 @@ spec:
idle timeout
format: int64
type: integer
loadBalancer:
properties:
additionalSecurityGroups:
items:
type: string
type: array
type: object
type: object
dns:
description: DNS configures options relating to DNS, in particular

6
pkg/apis/kops/bastion.go
View File

@ -20,4 +20,10 @@ type BastionSpec struct {
BastionPublicName string `json:"bastionPublicName,omitempty"`
// IdleTimeoutSeconds is the bastion's Loadbalancer idle timeout
IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
LoadBalancer *BastionLoadBalancerSpec `json:"loadBalancer,omitempty"`
}
type BastionLoadBalancerSpec struct {
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
}

7
pkg/apis/kops/v1alpha2/bastion.go
View File

@ -19,5 +19,10 @@ package v1alpha2
type BastionSpec struct {
BastionPublicName string `json:"bastionPublicName,omitempty"`
// IdleTimeoutSeconds is the bastion's Loadbalancer idle timeout
IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
LoadBalancer *BastionLoadBalancerSpec `json:"loadBalancer,omitempty"`
}
type BastionLoadBalancerSpec struct {
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
}

48
pkg/apis/kops/v1alpha2/zz_generated.conversion.go
View File

@ -113,6 +113,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*BastionLoadBalancerSpec)(nil), (*kops.BastionLoadBalancerSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec(a.(*BastionLoadBalancerSpec), b.(*kops.BastionLoadBalancerSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*kops.BastionLoadBalancerSpec)(nil), (*BastionLoadBalancerSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec(a.(*kops.BastionLoadBalancerSpec), b.(*BastionLoadBalancerSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*BastionSpec)(nil), (*kops.BastionSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha2_BastionSpec_To_kops_BastionSpec(a.(*BastionSpec), b.(*kops.BastionSpec), scope)
}); err != nil {
@ -1190,9 +1200,38 @@ func Convert_kops_AwsAuthenticationSpec_To_v1alpha2_AwsAuthenticationSpec(in *ko
return autoConvert_kops_AwsAuthenticationSpec_To_v1alpha2_AwsAuthenticationSpec(in, out, s)
}
func autoConvert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec(in *BastionLoadBalancerSpec, out *kops.BastionLoadBalancerSpec, s conversion.Scope) error {
out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
return nil
}
// Convert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec is an autogenerated conversion function.
func Convert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec(in *BastionLoadBalancerSpec, out *kops.BastionLoadBalancerSpec, s conversion.Scope) error {
return autoConvert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec(in, out, s)
}
func autoConvert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec(in *kops.BastionLoadBalancerSpec, out *BastionLoadBalancerSpec, s conversion.Scope) error {
out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
return nil
}
// Convert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec is an autogenerated conversion function.
func Convert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec(in *kops.BastionLoadBalancerSpec, out *BastionLoadBalancerSpec, s conversion.Scope) error {
return autoConvert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec(in, out, s)
}
func autoConvert_v1alpha2_BastionSpec_To_kops_BastionSpec(in *BastionSpec, out *kops.BastionSpec, s conversion.Scope) error {
out.BastionPublicName = in.BastionPublicName
out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
if in.LoadBalancer != nil {
in, out := &in.LoadBalancer, &out.LoadBalancer
*out = new(kops.BastionLoadBalancerSpec)
if err := Convert_v1alpha2_BastionLoadBalancerSpec_To_kops_BastionLoadBalancerSpec(*in, *out, s); err != nil {
return err
}
} else {
out.LoadBalancer = nil
}
return nil
}
@ -1204,6 +1243,15 @@ func Convert_v1alpha2_BastionSpec_To_kops_BastionSpec(in *BastionSpec, out *kops
func autoConvert_kops_BastionSpec_To_v1alpha2_BastionSpec(in *kops.BastionSpec, out *BastionSpec, s conversion.Scope) error {
out.BastionPublicName = in.BastionPublicName
out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
if in.LoadBalancer != nil {
in, out := &in.LoadBalancer, &out.LoadBalancer
*out = new(BastionLoadBalancerSpec)
if err := Convert_kops_BastionLoadBalancerSpec_To_v1alpha2_BastionLoadBalancerSpec(*in, *out, s); err != nil {
return err
}
} else {
out.LoadBalancer = nil
}
return nil
}

26
pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
View File

@ -224,6 +224,27 @@ func (in *AwsAuthenticationSpec) DeepCopy() *AwsAuthenticationSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BastionLoadBalancerSpec) DeepCopyInto(out *BastionLoadBalancerSpec) {
*out = *in
if in.AdditionalSecurityGroups != nil {
in, out := &in.AdditionalSecurityGroups, &out.AdditionalSecurityGroups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BastionLoadBalancerSpec.
func (in *BastionLoadBalancerSpec) DeepCopy() *BastionLoadBalancerSpec {
if in == nil {
return nil
}
out := new(BastionLoadBalancerSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BastionSpec) DeepCopyInto(out *BastionSpec) {
*out = *in
@ -232,6 +253,11 @@ func (in *BastionSpec) DeepCopyInto(out *BastionSpec) {
*out = new(int64)
**out = **in
}
if in.LoadBalancer != nil {
in, out := &in.LoadBalancer, &out.LoadBalancer
*out = new(BastionLoadBalancerSpec)
(*in).DeepCopyInto(*out)
}
return
}

26
pkg/apis/kops/zz_generated.deepcopy.go
View File

@ -240,6 +240,27 @@ func (in *AwsAuthenticationSpec) DeepCopy() *AwsAuthenticationSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BastionLoadBalancerSpec) DeepCopyInto(out *BastionLoadBalancerSpec) {
*out = *in
if in.AdditionalSecurityGroups != nil {
in, out := &in.AdditionalSecurityGroups, &out.AdditionalSecurityGroups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BastionLoadBalancerSpec.
func (in *BastionLoadBalancerSpec) DeepCopy() *BastionLoadBalancerSpec {
if in == nil {
return nil
}
out := new(BastionLoadBalancerSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BastionSpec) DeepCopyInto(out *BastionSpec) {
*out = *in
@ -248,6 +269,11 @@ func (in *BastionSpec) DeepCopyInto(out *BastionSpec) {
*out = new(int64)
**out = **in
}
if in.LoadBalancer != nil {
in, out := &in.LoadBalancer, &out.LoadBalancer
*out = new(BastionLoadBalancerSpec)
(*in).DeepCopyInto(*out)
}
return
}

15
pkg/model/bastion.go
View File

@ -244,6 +244,21 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
Tags: tags,
}
// Add additional security groups to the ELB
if b.Cluster.Spec.Topology != nil && b.Cluster.Spec.Topology.Bastion != nil && b.Cluster.Spec.Topology.Bastion.LoadBalancer != nil && b.Cluster.Spec.Topology.Bastion.LoadBalancer.AdditionalSecurityGroups != nil {
for _, id := range b.Cluster.Spec.Topology.Bastion.LoadBalancer.AdditionalSecurityGroups {
t := &awstasks.SecurityGroup{
Name: fi.String(id),
Lifecycle: b.SecurityLifecycle,
ID: fi.String(id),
Shared: fi.Bool(true),
}
if err := c.EnsureTask(t); err != nil {
return err
}
elb.SecurityGroups = append(elb.SecurityGroups, t)
}
}
c.AddTask(elb)
}

4
tests/integration/update_cluster/bastionadditional_user-data/in-v1alpha2.yaml
View File

@ -30,6 +30,10 @@ spec:
sshAccess:
- 0.0.0.0/0
topology:
bastion:
loadBalancer:
additionalSecurityGroups:
- sg-exampleid
masters: private
nodes: private
subnets:

2
tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
View File

@ -306,7 +306,7 @@ resource "aws_elb" "bastion-bastionuserdata-example-com" {
ssl_certificate_id = ""
}
name = "bastion-bastionuserdata-e-4grhsv"
security_groups = [aws_security_group.bastion-elb-bastionuserdata-example-com.id]
security_groups = [aws_security_group.bastion-elb-bastionuserdata-example-com.id, "sg-exampleid"]
subnets = [aws_subnet.utility-us-test-1a-bastionuserdata-example-com.id]
tags = {
"KubernetesCluster" = "bastionuserdata.example.com"