kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/pkg/model/external_access.go

70 lines
2.0 KiB
Go
Raw Blame History

package model
import (
"github.com/golang/glog"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
"strconv"
)
// ExternalAccessModelBuilder configures security group rules for external access
// (SSHAccess, APIAccess)
type ExternalAccessModelBuilder struct {
*KopsModelContext
}
var _ fi.ModelBuilder = &ExternalAccessModelBuilder{}
func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
if len(b.Cluster.Spec.APIAccess) == 0 {
glog.Warningf("APIAccess is empty")
}
if len(b.Cluster.Spec.SSHAccess) == 0 {
glog.Warningf("SSHAccess is empty")
}
// SSH is open to AdminCIDR set
if b.Cluster.IsTopologyPublic() {
for i, sshAccess := range b.Cluster.Spec.SSHAccess {
c.AddTask(&awstasks.SecurityGroupRule{
Name: s("ssh-external-to-master-" + strconv.Itoa(i)),
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
Protocol: s("tcp"),
FromPort: i64(22),
ToPort: i64(22),
CIDR: s(sshAccess),
})
c.AddTask(&awstasks.SecurityGroupRule{
Name: s("ssh-external-to-node-" + strconv.Itoa(i)),
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
Protocol: s("tcp"),
FromPort: i64(22),
ToPort: i64(22),
CIDR: s(sshAccess),
})
}
// Configuration for the master, when not using a Loadbalancer (ELB)
// We expect that either the IP address is published, or DNS is set up to point to the IPs
// We need to open security groups directly to the master nodes (instead of via the ELB)
// HTTPS to the master is allowed (for API access)
for i, apiAccess := range b.Cluster.Spec.APIAccess {
t := &awstasks.SecurityGroupRule{
Name: s("https-external-to-master-" + strconv.Itoa(i)),
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
Protocol: s("tcp"),
FromPort: i64(443),
ToPort: i64(443),
CIDR: s(apiAccess),
}
c.AddTask(t)
}
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink