mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #71674 from grayluck/firewall-event-msg
Change XPN firewall change msg. Should be required by security admin
This commit is contained in:
commit
46a29a0cc3
@ -93,6 +93,9 @@ the cloud specific control loops shipped with Kubernetes.`,
|
||||
// the gce cloudprovider is removed.
|
||||
globalflag.Register(namedFlagSets.FlagSet("generic"), "cloud-provider-gce-lb-src-cidrs")
|
||||
}
|
||||
if flag.CommandLine.Lookup("cloud-provider-gce-l7lb-src-cidrs") != nil {
|
||||
globalflag.Register(namedFlagSets.FlagSet("generic"), "cloud-provider-gce-l7lb-src-cidrs")
|
||||
}
|
||||
for _, f := range namedFlagSets.FlagSets {
|
||||
fs.AddFlagSet(f)
|
||||
}
|
||||
|
@ -26,5 +26,6 @@ import (
|
||||
|
||||
func registerLegacyGlobalFlags(fs *pflag.FlagSet) {
|
||||
globalflag.Register(fs, "cloud-provider-gce-lb-src-cidrs")
|
||||
globalflag.Register(fs, "cloud-provider-gce-l7lb-src-cidrs")
|
||||
fs.MarkDeprecated("cloud-provider-gce-lb-src-cidrs", "This flag will be removed once the GCE Cloud Provider is removed from kube-apiserver")
|
||||
}
|
||||
|
@ -40,18 +40,25 @@ type cidrs struct {
|
||||
}
|
||||
|
||||
var (
|
||||
lbSrcRngsFlag cidrs
|
||||
l4LbSrcRngsFlag cidrs
|
||||
l7lbSrcRngsFlag cidrs
|
||||
)
|
||||
|
||||
func init() {
|
||||
var err error
|
||||
// LB L7 proxies and all L3/4/7 health checkers have client addresses within these known CIDRs.
|
||||
lbSrcRngsFlag.ipn, err = utilnet.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"}...)
|
||||
// L3/4 health checkers have client addresses within these known CIDRs.
|
||||
l4LbSrcRngsFlag.ipn, err = utilnet.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"}...)
|
||||
if err != nil {
|
||||
panic("Incorrect default GCE L3/4 source ranges")
|
||||
}
|
||||
// L7 health checkers have client addresses within these known CIDRs.
|
||||
l7lbSrcRngsFlag.ipn, err = utilnet.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16"}...)
|
||||
if err != nil {
|
||||
panic("Incorrect default GCE L7 source ranges")
|
||||
}
|
||||
|
||||
flag.Var(&lbSrcRngsFlag, "cloud-provider-gce-lb-src-cidrs", "CIDRs opened in GCE firewall for LB traffic proxy & health checks")
|
||||
flag.Var(&l4LbSrcRngsFlag, "cloud-provider-gce-lb-src-cidrs", "CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks")
|
||||
flag.Var(&l7lbSrcRngsFlag, "cloud-provider-gce-l7lb-src-cidrs", "CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks")
|
||||
}
|
||||
|
||||
// String is the method to format the flag's value, part of the flag.Value interface.
|
||||
@ -82,10 +89,16 @@ func (c *cidrs) Set(value string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers (l4 & L7)
|
||||
// L4LoadBalancerSrcRanges contains the ranges of ips used by the L3/L4 GCE load balancers
|
||||
// for proxying client requests and performing health checks.
|
||||
func LoadBalancerSrcRanges() []string {
|
||||
return lbSrcRngsFlag.ipn.StringSlice()
|
||||
func L4LoadBalancerSrcRanges() []string {
|
||||
return l4LbSrcRngsFlag.ipn.StringSlice()
|
||||
}
|
||||
|
||||
// L7LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers L7
|
||||
// for proxying client requests and performing health checks.
|
||||
func L7LoadBalancerSrcRanges() []string {
|
||||
return l7lbSrcRngsFlag.ipn.StringSlice()
|
||||
}
|
||||
|
||||
// GetLoadBalancer is an implementation of LoadBalancer.GetLoadBalancer
|
||||
|
@ -876,7 +876,7 @@ func (g *Cloud) ensureHTTPHealthCheckFirewall(svc *v1.Service, serviceName, ipAd
|
||||
if !isNodesHealthCheck {
|
||||
desc = makeFirewallDescription(serviceName, ipAddress)
|
||||
}
|
||||
sourceRanges := lbSrcRngsFlag.ipn
|
||||
sourceRanges := l4LbSrcRngsFlag.ipn
|
||||
ports := []v1.ServicePort{{Protocol: "tcp", Port: hcPort}}
|
||||
|
||||
fwName := MakeHealthCheckFirewallName(clusterID, hcName, isNodesHealthCheck)
|
||||
|
@ -38,6 +38,10 @@ import (
|
||||
utilnet "k8s.io/utils/net"
|
||||
)
|
||||
|
||||
const (
|
||||
eventMsgFirewallChange = "Firewall change required by security admin"
|
||||
)
|
||||
|
||||
func TestEnsureStaticIP(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
|
@ -383,7 +383,7 @@ func (g *Cloud) ensureInternalFirewalls(loadBalancerName, ipAddress, clusterID s
|
||||
|
||||
// Second firewall is for health checking nodes / services
|
||||
fwHCName := makeHealthCheckFirewallName(loadBalancerName, clusterID, sharedHealthCheck)
|
||||
hcSrcRanges := LoadBalancerSrcRanges()
|
||||
hcSrcRanges := L4LoadBalancerSrcRanges()
|
||||
return g.ensureInternalFirewall(svc, fwHCName, "", hcSrcRanges, []string{healthCheckPort}, v1.ProtocolTCP, nodes)
|
||||
}
|
||||
|
||||
|
@ -43,7 +43,6 @@ import (
|
||||
// TODO(yankaiz): Create shared error types for both test/non-test codes.
|
||||
const (
|
||||
eventReasonManualChange = "LoadBalancerManualChange"
|
||||
eventMsgFirewallChange = "Firewall change required by network admin"
|
||||
errPrefixGetTargetPool = "error getting load balancer's target pool:"
|
||||
wrongTier = "SupremeLuxury"
|
||||
errStrUnsupportedTier = "unsupported network tier: \"" + wrongTier + "\""
|
||||
|
@ -110,7 +110,7 @@ func getProjectAndZone() (string, string, error) {
|
||||
}
|
||||
|
||||
func (g *Cloud) raiseFirewallChangeNeededEvent(svc *v1.Service, cmd string) {
|
||||
msg := fmt.Sprintf("Firewall change required by network admin: `%v`", cmd)
|
||||
msg := fmt.Sprintf("Firewall change required by security admin: `%v`", cmd)
|
||||
if g.eventRecorder != nil && svc != nil {
|
||||
g.eventRecorder.Event(svc, v1.EventTypeNormal, "LoadBalancerManualChange", msg)
|
||||
}
|
||||
|
@ -75,7 +75,7 @@ func ConstructHealthCheckFirewallForLBService(clusterID string, svc *v1.Service,
|
||||
fw := compute.Firewall{}
|
||||
fw.Name = MakeHealthCheckFirewallNameForLBService(clusterID, cloudprovider.DefaultLoadBalancerName(svc), isNodesHealthCheck)
|
||||
fw.TargetTags = []string{nodeTag}
|
||||
fw.SourceRanges = gcecloud.LoadBalancerSrcRanges()
|
||||
fw.SourceRanges = gcecloud.L4LoadBalancerSrcRanges()
|
||||
healthCheckPort := gcecloud.GetNodesHealthCheckPort()
|
||||
if !isNodesHealthCheck {
|
||||
healthCheckPort = svc.Spec.HealthCheckNodePort
|
||||
|
@ -310,10 +310,10 @@ func (p *Provider) cleanupGCEResources(c clientset.Interface, loadBalancerName,
|
||||
return
|
||||
}
|
||||
|
||||
// LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers (l4 & L7)
|
||||
// for proxying client requests and performing health checks.
|
||||
func (p *Provider) LoadBalancerSrcRanges() []string {
|
||||
return gcecloud.LoadBalancerSrcRanges()
|
||||
// L4LoadBalancerSrcRanges contains the ranges of ips used by the GCE L4 load
|
||||
// balancers for proxying client requests and performing health checks.
|
||||
func (p *Provider) L4LoadBalancerSrcRanges() []string {
|
||||
return gcecloud.L4LoadBalancerSrcRanges()
|
||||
}
|
||||
|
||||
// EnableAndDisableInternalLB returns functions for both enabling and disabling internal Load Balancer
|
||||
|
Loading…
Reference in New Issue
Block a user