Merge pull request #61467 from feiskyer/azure-service-tags

Automatic merge from submit-queue (batch tested with PRs 61434, 61501, 59609, 61467, 61531). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add support of specifying service tags for Azure cloud provider

**What this PR does / why we need it**:

This PR adds support of specifying service tags for Azure cloud provider by annotation `service.beta.kubernetes.io/azure-allowed-service-tags`.

Refer https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags for more information about this feature.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #57914

**Special notes for your reviewer**:

**Release note**:

```release-note
Azure cloud provider now supports specifying allowed service tags by annotation `service.beta.kubernetes.io/azure-allowed-service-tags`
```
This commit is contained in:
Kubernetes Submit Queue 2018-03-26 19:52:14 -07:00 committed by GitHub
commit 408588a407
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -69,6 +69,17 @@ const (
// ServiceAnnotationLoadBalancerResourceGroup is the annotation used on the service
// to specify the resource group of load balancer objects that are not in the same resource group as the cluster.
ServiceAnnotationLoadBalancerResourceGroup = "service.beta.kubernetes.io/azure-load-balancer-resource-group"
// ServiceAnnotationAllowedServiceTag is the annotation used on the service
// to specify a list of allowed service tags separated by comma
ServiceAnnotationAllowedServiceTag = "service.beta.kubernetes.io/azure-allowed-service-tags"
)
var (
// supportedServiceTags holds a list of supported service tags on Azure.
// Refer https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags for more information.
supportedServiceTags = sets.NewString("VirtualNetwork", "VIRTUAL_NETWORK", "AzureLoadBalancer", "AZURE_LOADBALANCER",
"Internet", "INTERNET", "AzureTrafficManager", "Storage", "Sql")
)
// GetLoadBalancer returns whether the specified load balancer exists, and
@ -838,8 +849,12 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service,
if err != nil {
return nil, err
}
serviceTags, err := getServiceTags(service)
if err != nil {
return nil, err
}
var sourceAddressPrefixes []string
if sourceRanges == nil || serviceapi.IsAllowAll(sourceRanges) {
if (sourceRanges == nil || serviceapi.IsAllowAll(sourceRanges)) && len(serviceTags) == 0 {
if !requiresInternalLoadBalancer(service) {
sourceAddressPrefixes = []string{"Internet"}
}
@ -847,6 +862,9 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service,
for _, ip := range sourceRanges {
sourceAddressPrefixes = append(sourceAddressPrefixes, ip.String())
}
for _, serviceTag := range serviceTags {
sourceAddressPrefixes = append(sourceAddressPrefixes, serviceTag)
}
}
expectedSecurityRules := []network.SecurityRule{}
@ -1319,3 +1337,23 @@ func useSharedSecurityRule(service *v1.Service) bool {
return false
}
func getServiceTags(service *v1.Service) ([]string, error) {
if serviceTags, found := service.Annotations[ServiceAnnotationAllowedServiceTag]; found {
tags := strings.Split(strings.TrimSpace(serviceTags), ",")
for _, tag := range tags {
// Storage and Sql service tags support setting regions with suffix ".Region"
if strings.HasPrefix(tag, "Storage.") || strings.HasPrefix(tag, "Sql.") {
continue
}
if !supportedServiceTags.Has(tag) {
return nil, fmt.Errorf("only %q are allowed in service tags", supportedServiceTags.List())
}
}
return tags, nil
}
return nil, nil
}