kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10032 from hakman/calico-firewall 

Open etcd port only when Calico uses "etcd" datastore
This commit is contained in:
Kubernetes Prow Robot 2020-10-09 00:59:06 -07:00 committed by GitHub
parent f49b19483b 9c888bcdcf
commit f819dce2bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nodeup/pkg/model/networking/calico.go
View File

@ -39,7 +39,7 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
} }
// @check if tls is enabled and if so, we need to download the client certificates // @check if tls is enabled and if so, we need to download the client certificates
if !b.UseEtcdManager() && b.UseEtcdTLS() { if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() {
name := "calico-client" name := "calico-client"
dirname := "calico" dirname := "calico"
ca := filepath.Join(dirname, "ca.pem") ca := filepath.Join(dirname, "ca.pem")

6
pkg/apis/kops/cluster.go
View File

@ -674,6 +674,12 @@ func (c *Cluster) IsKubernetesGTE(version string) bool {
return clusterVersion.GTE(*parsedVersion) return clusterVersion.GTE(*parsedVersion)
} }
// IsKubernetesLT checks if the version is < the specified version.
// It panics if the kubernetes version in the cluster is invalid, or if the version is invalid.
func (c *Cluster) IsKubernetesLT(version string) bool {
return !c.IsKubernetesGTE(version)
}
// EnvVar represents an environment variable present in a Container. // EnvVar represents an environment variable present in a Container.
type EnvVar struct { type EnvVar struct {
// Name of the environment variable. Must be a C_IDENTIFIER. // Name of the environment variable. Must be a C_IDENTIFIER.

2
pkg/model/firewall.go
View File

@ -250,10 +250,12 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
} }
if b.Cluster.Spec.Networking.Calico != nil { if b.Cluster.Spec.Networking.Calico != nil {
if b.IsKubernetesLT("1.12") {
// Calico needs to access etcd // Calico needs to access etcd
// TODO: Remove, replace with etcd in calico manifest // TODO: Remove, replace with etcd in calico manifest
klog.Warningf("Opening etcd port on masters for access from the nodes, for calico. This is unsafe in untrusted environments.") klog.Warningf("Opening etcd port on masters for access from the nodes, for calico. This is unsafe in untrusted environments.")
tcpBlocked[4001] = false tcpBlocked[4001] = false
}
protocols = append(protocols, ProtocolIPIP) protocols = append(protocols, ProtocolIPIP)
} }

2
pkg/model/iam/iam_builder.go
View File

@ -570,7 +570,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error) {
} }
// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default // @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
if networkingSpec.Calico != nil { if cluster.IsKubernetesLT("1.12") && networkingSpec.Calico != nil {
calicoClientCert := false calicoClientCert := false
for _, x := range cluster.Spec.EtcdClusters { for _, x := range cluster.Spec.EtcdClusters {
if x.Provider == kops.EtcdProviderTypeManager { if x.Provider == kops.EtcdProviderTypeManager {

2
pkg/model/pki.go
View File

@ -129,7 +129,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
}) })
// @check if calico is enabled as the CNI provider // @check if calico is enabled as the CNI provider
if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil { if b.IsKubernetesLT("1.12") && b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
c.AddTask(&fitasks.Keypair{ c.AddTask(&fitasks.Keypair{
Name: fi.String("calico-client"), Name: fi.String("calico-client"),
Lifecycle: b.Lifecycle, Lifecycle: b.Lifecycle,

4
tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
View File

@ -753,12 +753,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" {
type = "ingress" type = "ingress"
} }
resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" { resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" {
from_port = 2382 from_port = 2382
protocol = "tcp" protocol = "tcp"
security_group_id = aws_security_group.masters-bastionuserdata-example-com.id security_group_id = aws_security_group.masters-bastionuserdata-example-com.id
source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id
to_port = 4001 to_port = 4000
type = "ingress" type = "ingress"
} }

4
tests/integration/update_cluster/privatecalico/cloudformation.json
View File

@ -847,7 +847,7 @@
"IpProtocol": "tcp" "IpProtocol": "tcp"
} }
}, },
"AWSEC2SecurityGroupIngressnodetomastertcp23824001": { "AWSEC2SecurityGroupIngressnodetomastertcp23824000": {
"Type": "AWS::EC2::SecurityGroupIngress", "Type": "AWS::EC2::SecurityGroupIngress",
"Properties": { "Properties": {
"GroupId": { "GroupId": {
@ -857,7 +857,7 @@
"Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom"
}, },
"FromPort": 2382, "FromPort": 2382,
"ToPort": 4001, "ToPort": 4000,
"IpProtocol": "tcp" "IpProtocol": "tcp"
} }
}, },

4
tests/integration/update_cluster/privatecalico/kubernetes.tf
View File

@ -752,12 +752,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" {
type = "ingress" type = "ingress"
} }
resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" { resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" {
from_port = 2382 from_port = 2382
protocol = "tcp" protocol = "tcp"
security_group_id = aws_security_group.masters-privatecalico-example-com.id security_group_id = aws_security_group.masters-privatecalico-example-com.id
source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id
to_port = 4001 to_port = 4000
type = "ingress" type = "ingress"
} }