diff --git a/test/e2e/framework/providers/gce/firewall.go b/test/e2e/framework/providers/gce/firewall.go index fa5c1dcb0db..8beb1c8518b 100644 --- a/test/e2e/framework/providers/gce/firewall.go +++ b/test/e2e/framework/providers/gce/firewall.go @@ -90,165 +90,6 @@ func ConstructHealthCheckFirewallForLBService(clusterID string, svc *v1.Service, return &fw } -// GetInstancePrefix returns the INSTANCE_PREFIX env we set for e2e cluster. -// From cluster/gce/config-test.sh, master name is set up using below format: -// MASTER_NAME="${INSTANCE_PREFIX}-master" -func GetInstancePrefix(masterName string) (string, error) { - if !strings.HasSuffix(masterName, "-master") { - return "", fmt.Errorf("unexpected master name format: %v", masterName) - } - return masterName[:len(masterName)-7], nil -} - -// GetClusterName returns the CLUSTER_NAME env we set for e2e cluster. -// From cluster/gce/config-test.sh, cluster name is set up using below format: -// CLUSTER_NAME="${CLUSTER_NAME:-${INSTANCE_PREFIX}}" -func GetClusterName(instancePrefix string) string { - return instancePrefix -} - -// GetE2eFirewalls returns all firewall rules we create for an e2e cluster. -// From cluster/gce/util.sh, all firewall rules should be consistent with the ones created by startup scripts. -func GetE2eFirewalls(masterName, masterTag, nodeTag, network, clusterIPRange string) []*compute.Firewall { - instancePrefix, err := GetInstancePrefix(masterName) - framework.ExpectNoError(err) - clusterName := GetClusterName(instancePrefix) - - fws := []*compute.Firewall{} - fws = append(fws, &compute.Firewall{ - Name: clusterName + "-default-internal-master", - SourceRanges: []string{"10.0.0.0/8"}, - TargetTags: []string{masterTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"1-2379"}, - }, - { - IPProtocol: "tcp", - Ports: []string{"2382-65535"}, - }, - { - IPProtocol: "udp", - Ports: []string{"1-65535"}, - }, - { - IPProtocol: "icmp", - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: clusterName + "-default-internal-node", - SourceRanges: []string{"10.0.0.0/8"}, - TargetTags: []string{nodeTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"1-65535"}, - }, - { - IPProtocol: "udp", - Ports: []string{"1-65535"}, - }, - { - IPProtocol: "icmp", - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: network + "-default-ssh", - SourceRanges: []string{"0.0.0.0/0"}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"22"}, - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: masterName + "-etcd", - SourceTags: []string{masterTag}, - TargetTags: []string{masterTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"2380"}, - }, - { - IPProtocol: "tcp", - Ports: []string{"2381"}, - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: masterName + "-https", - SourceRanges: []string{"0.0.0.0/0"}, - TargetTags: []string{masterTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"443"}, - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: nodeTag + "-all", - SourceRanges: []string{clusterIPRange}, - TargetTags: []string{nodeTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - }, - { - IPProtocol: "udp", - }, - { - IPProtocol: "icmp", - }, - { - IPProtocol: "esp", - }, - { - IPProtocol: "ah", - }, - { - IPProtocol: "sctp", - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: nodeTag + "-http-alt", - SourceRanges: []string{"0.0.0.0/0"}, - TargetTags: []string{nodeTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"80"}, - }, - { - IPProtocol: "tcp", - Ports: []string{"8080"}, - }, - }, - }) - fws = append(fws, &compute.Firewall{ - Name: nodeTag + "-nodeports", - SourceRanges: []string{"0.0.0.0/0"}, - TargetTags: []string{nodeTag}, - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{"30000-32767"}, - }, - { - IPProtocol: "udp", - Ports: []string{"30000-32767"}, - }, - }, - }) - return fws -} - // PackProtocolsPortsFromFirewall packs protocols and ports in an unified way for verification. func PackProtocolsPortsFromFirewall(alloweds []*compute.FirewallAllowed) []string { protocolPorts := []string{} diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go index 62685092eac..cf45f88a3ef 100644 --- a/test/e2e/network/firewall.go +++ b/test/e2e/network/firewall.go @@ -204,16 +204,6 @@ var _ = common.SIGDescribe("Firewall rule", func() { framework.ExpectNoError(err) }) - ginkgo.It("should have correct firewall rules for e2e cluster", func(ctx context.Context) { - ginkgo.By("Checking if e2e firewall rules are correct") - for _, expFw := range gce.GetE2eFirewalls(cloudConfig.MasterName, cloudConfig.MasterTag, cloudConfig.NodeTag, cloudConfig.Network, cloudConfig.ClusterIPRange) { - fw, err := gceCloud.GetFirewall(expFw.Name) - framework.ExpectNoError(err) - err = gce.VerifyFirewallRule(fw, expFw, cloudConfig.Network, false) - framework.ExpectNoError(err) - } - }) - ginkgo.It("control plane should not expose well-known ports", func(ctx context.Context) { nodes, err := e2enode.GetReadySchedulableNodes(ctx, cs) framework.ExpectNoError(err)