Merge pull request #6944 from zetaab/allow_node_exporter

add node-exporter to allowed ports
2019-05-14 10:35:19 -07:00 · 2019-05-14 10:35:19 -07:00 · f2bd5a5ef2
parent c9d3cbcad6 53834635ad
commit f2bd5a5ef2
1 changed files with 22 additions and 0 deletions
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@ -294,6 +294,26 @@ func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap
 	return nil
 }

+// addNodeExporterRules - Allow 9100 TCP port from nodesg
+func (b *FirewallModelBuilder) addNodeExporterRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
+	masterSG := sgMap[masterName]
+	nodeSG := sgMap[nodeName]
+	nodeExporterIngress := &openstacktasks.SecurityGroupRule{
+		Lifecycle:    b.Lifecycle,
+		Direction:    s(string(rules.DirIngress)),
+		Protocol:     s(IPProtocolTCP),
+		EtherType:    s(IPV4),
+		PortRangeMin: i(9100),
+		PortRangeMax: i(9100),
+	}
+	// allow 9100 port from nodeSG
+	addDirectionalGroupRule(c, masterSG, nodeSG, nodeExporterIngress)
+	addDirectionalGroupRule(c, nodeSG, nodeSG, nodeExporterIngress)
+	return nil
+}
+
 // addDNSRules - Add DNS rules for internal DNS queries
 func (b *FirewallModelBuilder) addDNSRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {

@ -471,6 +491,8 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	b.addDNSRules(c, sgMap)
 	//Add Kubelet Rules
 	b.addKubeletRules(c, sgMap)
+	//Add Node exporter Rules
+	b.addNodeExporterRules(c, sgMap)
 	// Protokube Rules
 	b.addProtokubeRules(c, sgMap)
 	//Allow necessary local traffic