mirror of https://github.com/kubernetes/kops.git
Removing unnecessary 443 ingress on nodes
This commit is contained in:
Derek Lemon -T (delemon - AEROTEK INC at Cisco)
parent
f8a5abac56
commit
ec8091294a
|
|
@ -27,11 +27,10 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
IpProtocolTCP = string(rules.ProtocolTCP)
|
IPProtocolTCP = string(rules.ProtocolTCP)
|
||||||
IpProtocolUDP = string(rules.ProtocolUDP)
|
IPProtocolUDP = string(rules.ProtocolUDP)
|
||||||
IPV4 = string(rules.EtherType4)
|
IPV4 = string(rules.EtherType4)
|
||||||
ProtocolIPv4Encap = "4"
|
ProtocolIPEncap = "4" // IP in IPv4/IPv6
|
||||||
ProtocolIPIPEncap = "94"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// FirewallModelBuilder configures firewall network objects
|
// FirewallModelBuilder configures firewall network objects
|
||||||
|
|
@ -102,7 +101,7 @@ func (b *FirewallModelBuilder) addSSHRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
}
|
}
|
||||||
addDirectionalGroupRule(c, bastionSG, nil, sshRule)
|
addDirectionalGroupRule(c, bastionSG, nil, sshRule)
|
||||||
}
|
}
|
||||||
//Allpw ingress ssh from the bastion on the masters and nodes
|
//Allow ingress ssh from the bastion on the masters and nodes
|
||||||
addDirectionalGroupRule(c, masterSG, bastionSG, sshIngress)
|
addDirectionalGroupRule(c, masterSG, bastionSG, sshIngress)
|
||||||
addDirectionalGroupRule(c, nodeSG, bastionSG, sshIngress)
|
addDirectionalGroupRule(c, nodeSG, bastionSG, sshIngress)
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -183,7 +182,7 @@ func (b *FirewallModelBuilder) addNodePortRules(c *fi.ModelBuilderContext, sgMap
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, protocol := range []string{IpProtocolTCP, IpProtocolUDP} {
|
for _, protocol := range []string{IPProtocolTCP, IPProtocolUDP} {
|
||||||
nodePortRule := &openstacktasks.SecurityGroupRule{
|
nodePortRule := &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
|
|
@ -212,7 +211,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
|
||||||
httpsIngress := &openstacktasks.SecurityGroupRule{
|
httpsIngress := &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
Protocol: s(IpProtocolTCP),
|
Protocol: s(IPProtocolTCP),
|
||||||
EtherType: s(IPV4),
|
EtherType: s(IPV4),
|
||||||
PortRangeMin: i(443),
|
PortRangeMin: i(443),
|
||||||
PortRangeMax: i(443),
|
PortRangeMax: i(443),
|
||||||
|
|
@ -221,8 +220,6 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
|
||||||
//Allow all local communication for kubernetes.svc and to the api.internal lb/gossip for kubelet's
|
//Allow all local communication for kubernetes.svc and to the api.internal lb/gossip for kubelet's
|
||||||
addDirectionalGroupRule(c, masterSG, nodeSG, httpsIngress)
|
addDirectionalGroupRule(c, masterSG, nodeSG, httpsIngress)
|
||||||
addDirectionalGroupRule(c, masterSG, masterSG, httpsIngress)
|
addDirectionalGroupRule(c, masterSG, masterSG, httpsIngress)
|
||||||
addDirectionalGroupRule(c, nodeSG, masterSG, httpsIngress)
|
|
||||||
addDirectionalGroupRule(c, nodeSG, nodeSG, httpsIngress)
|
|
||||||
|
|
||||||
if b.UseLoadBalancerForAPI() {
|
if b.UseLoadBalancerForAPI() {
|
||||||
//Allow API Access to the lb sg
|
//Allow API Access to the lb sg
|
||||||
|
|
@ -230,7 +227,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
|
||||||
addDirectionalGroupRule(c, lbSG, nil, &openstacktasks.SecurityGroupRule{
|
addDirectionalGroupRule(c, lbSG, nil, &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
Protocol: s(IpProtocolTCP),
|
Protocol: s(IPProtocolTCP),
|
||||||
EtherType: s(IPV4),
|
EtherType: s(IPV4),
|
||||||
PortRangeMin: i(443),
|
PortRangeMin: i(443),
|
||||||
PortRangeMax: i(443),
|
PortRangeMax: i(443),
|
||||||
|
|
@ -245,7 +242,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
|
||||||
addDirectionalGroupRule(c, masterSG, nil, &openstacktasks.SecurityGroupRule{
|
addDirectionalGroupRule(c, masterSG, nil, &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
Protocol: s(IpProtocolTCP),
|
Protocol: s(IPProtocolTCP),
|
||||||
EtherType: s(IPV4),
|
EtherType: s(IPV4),
|
||||||
PortRangeMin: i(443),
|
PortRangeMin: i(443),
|
||||||
PortRangeMax: i(443),
|
PortRangeMax: i(443),
|
||||||
|
|
@ -260,7 +257,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
|
||||||
addDirectionalGroupRule(c, masterSG, nil, &openstacktasks.SecurityGroupRule{
|
addDirectionalGroupRule(c, masterSG, nil, &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
Protocol: s(IpProtocolTCP),
|
Protocol: s(IPProtocolTCP),
|
||||||
EtherType: s(IPV4),
|
EtherType: s(IPV4),
|
||||||
PortRangeMin: i(443),
|
PortRangeMin: i(443),
|
||||||
PortRangeMax: i(443),
|
PortRangeMax: i(443),
|
||||||
|
|
@ -285,7 +282,7 @@ func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap
|
||||||
addDirectionalGroupRule(c, sgName, nil, &openstacktasks.SecurityGroupRule{
|
addDirectionalGroupRule(c, sgName, nil, &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
Protocol: s(IpProtocolTCP),
|
Protocol: s(IPProtocolTCP),
|
||||||
EtherType: s(IPV4),
|
EtherType: s(IPV4),
|
||||||
PortRangeMin: i(10250),
|
PortRangeMin: i(10250),
|
||||||
PortRangeMax: i(10250),
|
PortRangeMax: i(10250),
|
||||||
|
|
@ -303,7 +300,7 @@ func (b *FirewallModelBuilder) addDNSRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
|
nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
|
||||||
masterSG := sgMap[masterName]
|
masterSG := sgMap[masterName]
|
||||||
nodeSG := sgMap[nodeName]
|
nodeSG := sgMap[nodeName]
|
||||||
for _, protocol := range []string{IpProtocolTCP, IpProtocolUDP} {
|
for _, protocol := range []string{IPProtocolTCP, IPProtocolUDP} {
|
||||||
dnsRule := &openstacktasks.SecurityGroupRule{
|
dnsRule := &openstacktasks.SecurityGroupRule{
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
Direction: s(string(rules.DirIngress)),
|
Direction: s(string(rules.DirIngress)),
|
||||||
|
|
@ -332,6 +329,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
if b.Cluster.Spec.Networking != nil {
|
if b.Cluster.Spec.Networking != nil {
|
||||||
if b.Cluster.Spec.Networking.Kopeio != nil {
|
if b.Cluster.Spec.Networking.Kopeio != nil {
|
||||||
// VXLAN over UDP
|
// VXLAN over UDP
|
||||||
|
// https://tools.ietf.org/html/rfc7348
|
||||||
udpPorts = append(udpPorts, 4789)
|
udpPorts = append(udpPorts, 4789)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -339,7 +337,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
udpPorts = append(udpPorts, 6783)
|
udpPorts = append(udpPorts, 6783)
|
||||||
tcpPorts = append(tcpPorts, 6783)
|
tcpPorts = append(tcpPorts, 6783)
|
||||||
udpPorts = append(udpPorts, 6784)
|
udpPorts = append(udpPorts, 6784)
|
||||||
protocols = append(protocols, ProtocolIPv4Encap)
|
protocols = append(protocols, ProtocolIPEncap)
|
||||||
}
|
}
|
||||||
|
|
||||||
if b.Cluster.Spec.Networking.Flannel != nil {
|
if b.Cluster.Spec.Networking.Flannel != nil {
|
||||||
|
|
@ -347,7 +345,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
case "", "udp":
|
case "", "udp":
|
||||||
udpPorts = append(udpPorts, 8285)
|
udpPorts = append(udpPorts, 8285)
|
||||||
case "vxlan":
|
case "vxlan":
|
||||||
protocols = append(protocols, ProtocolIPv4Encap)
|
protocols = append(protocols, ProtocolIPEncap)
|
||||||
udpPorts = append(udpPorts, 8472)
|
udpPorts = append(udpPorts, 8472)
|
||||||
default:
|
default:
|
||||||
glog.Warningf("unknown flannel networking backend %q", b.Cluster.Spec.Networking.Flannel.Backend)
|
glog.Warningf("unknown flannel networking backend %q", b.Cluster.Spec.Networking.Flannel.Backend)
|
||||||
|
|
@ -356,7 +354,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
|
|
||||||
if b.Cluster.Spec.Networking.Calico != nil {
|
if b.Cluster.Spec.Networking.Calico != nil {
|
||||||
tcpPorts = append(tcpPorts, 179)
|
tcpPorts = append(tcpPorts, 179)
|
||||||
protocols = append(protocols, ProtocolIPIPEncap)
|
protocols = append(protocols, ProtocolIPEncap)
|
||||||
}
|
}
|
||||||
|
|
||||||
if b.Cluster.Spec.Networking.Romana != nil {
|
if b.Cluster.Spec.Networking.Romana != nil {
|
||||||
|
|
@ -364,7 +362,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
|
||||||
}
|
}
|
||||||
|
|
||||||
if b.Cluster.Spec.Networking.Kuberouter != nil {
|
if b.Cluster.Spec.Networking.Kuberouter != nil {
|
||||||
protocols = append(protocols, ProtocolIPIPEncap)
|
protocols = append(protocols, ProtocolIPEncap)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue