github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

AWS: Set up security groups, to mirror GCE firewalling

Browse Source 
Some slightly fussy code to enable load-balancers to talk to
instances, but otherwise relatively simple.
This commit is contained in:
Justin Santa Barbara 2015-06-04 22:03:50 -04:00
parent 33a3d884f2
commit 48e8a8b0ec
3 changed files with 584 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
cluster/aws/util.sh
View File

@ -44,6 +44,9 @@ INTERNAL_IP_BASE=172.20.0
MASTER_IP_SUFFIX=.9
MASTER_INTERNAL_IP=${INTERNAL_IP_BASE}${MASTER_IP_SUFFIX}
MASTER_SG_NAME="kubernetes-master-${CLUSTER_ID}"
MINION_SG_NAME="kubernetes-minion-${CLUSTER_ID}"
function json_val {
python -c 'import json,sys;obj=json.load(sys.stdin);print obj'$1''
}
@ -102,6 +105,17 @@ function get_instance_private_ip {
--query Reservations[].Instances[].NetworkInterfaces[0].PrivateIpAddress
}
# Gets a security group id, by name ($1)
function get_security_group_id {
local name=$1
$AWS_CMD --output text describe-security-groups \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=group-name,Values=${name} \
Name=tag:KubernetesCluster,Values=${CLUSTER_ID} \
--query SecurityGroups[].GroupId \
| tr "\t" "\n"
}
function detect-master () {
KUBE_MASTER=${MASTER_NAME}
if [[ -z "${KUBE_MASTER_IP-}" ]]; then
@ -132,6 +146,27 @@ function detect-minions () {
fi
}
function detect-security-groups {
if [[ -z "${MASTER_SG_ID-}" ]]; then
MASTER_SG_ID=$(get_security_group_id "${MASTER_SG_NAME}")
if [[ -z "${MASTER_SG_ID}" ]]; then
echo "Could not detect Kubernetes master security group. Make sure you've launched a cluster with 'kube-up.sh'"
exit 1
else
echo "Using master security group: ${MASTER_SG_NAME} ${MASTER_SG_ID}"
fi
fi
if [[ -z "${MINION_SG_ID-}" ]]; then
MINION_SG_ID=$(get_security_group_id "${MINION_SG_NAME}")
if [[ -z "${MINION_SG_ID}" ]]; then
echo "Could not detect Kubernetes minion security group. Make sure you've launched a cluster with 'kube-up.sh'"
exit 1
else
echo "Using minion security group: ${MINION_SG_NAME} ${MINION_SG_ID}"
fi
fi
}
# Detects the AMI to use (considering the region)
#
# Vars set:
@ -224,6 +259,43 @@ function import-public-key {
fi
}
# Robustly try to create a security group, if it does not exist.
# $1: The name of security group; will be created if not exists
# $2: Description for security group (used if created)
#
# Note that this doesn't actually return the sgid; we need to re-query
function create-security-group {
local -r name=$1
local -r description=$2
local sgid=$(get_security_group_id "${name}")
if [[ -z "$sgid" ]]; then
echo "Creating security group ${name}."
sgid=$($AWS_CMD create-security-group --group-name "${name}" --description "${description}" --vpc-id "${VPC_ID}" --query GroupId --output text)
add-tag $sgid KubernetesCluster ${CLUSTER_ID}
fi
}
# Authorize ingress to a security group.
# Attempts to be idempotent, though we end up checking the output looking for error-strings.
# $1 group-id
# $2.. arguments to pass to authorize-security-group-ingress
function authorize-security-group-ingress {
local -r sgid=$1
shift
local ok=1
local output=""
output=$($AWS_CMD authorize-security-group-ingress --group-id "${sgid}" $@ 2>&1) || ok=0
if [[ ${ok} == 0 ]]; then
# Idempotency: ignore if duplicate rule
if [[ "${output}" != *"InvalidPermission.Duplicate"* ]]; then
echo "Error creating security group ingress rule"
echo "Output: ${output}"
exit 1
fi
fi
}
# Verify prereqs
function verify-prereqs {
if [[ "$(which aws)" == "" ]]; then
@ -541,17 +613,39 @@ function kube-up {
echo "Using Route Table $ROUTE_TABLE_ID"
SEC_GROUP_ID=$($AWS_CMD --output text describe-security-groups \
--filters Name=vpc-id,Values=$VPC_ID \
Name=group-name,Values=kubernetes-sec-group \
--query SecurityGroups[].GroupId \
| tr "\t" "\n")
if [[ -z "$SEC_GROUP_ID" ]]; then
echo "Creating security group."
SEC_GROUP_ID=$($AWS_CMD create-security-group --group-name kubernetes-sec-group --description kubernetes-sec-group --vpc-id $VPC_ID | json_val '["GroupId"]')
$AWS_CMD authorize-security-group-ingress --group-id $SEC_GROUP_ID --protocol -1 --port all --cidr 0.0.0.0/0 > $LOG
# Create security groups
MASTER_SG_ID=$(get_security_group_id "${MASTER_SG_NAME}")
if [[ -z "${MASTER_SG_ID}" ]]; then
echo "Creating master security group."
create-security-group "${MASTER_SG_NAME}" "Kubernetes security group applied to master nodes"
fi
MINION_SG_ID=$(get_security_group_id "${MINION_SG_NAME}")
if [[ -z "${MINION_SG_ID}" ]]; then
echo "Creating minion security group."
create-security-group "${MINION_SG_NAME}" "Kubernetes security group applied to minion nodes"
fi
detect-security-groups
# Masters can talk to master
authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all"
# Minions can talk to minions
authorize-security-group-ingress "${MINION_SG_ID}" "--source-group ${MINION_SG_ID} --protocol all"
# Masters and minions can talk to each other
authorize-security-group-ingress "${MASTER_SG_ID}" "--source-group ${MINION_SG_ID} --protocol all"
authorize-security-group-ingress "${MINION_SG_ID}" "--source-group ${MASTER_SG_ID} --protocol all"
# TODO(justinsb): Would be fairly easy to replace 0.0.0.0/0 in these rules
# SSH is open to the world
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0"
authorize-security-group-ingress "${MINION_SG_ID}" "--protocol tcp --port 22 --cidr 0.0.0.0/0"
# HTTPS to the master is allowed (for API access)
authorize-security-group-ingress "${MASTER_SG_ID}" "--protocol tcp --port 443 --cidr 0.0.0.0/0"
(
# We pipe this to the ami as a startup script in the user-data field. Requires a compatible ami
echo "#! /bin/bash"
@ -595,7 +689,7 @@ function kube-up {
--subnet-id $SUBNET_ID \
--private-ip-address $MASTER_INTERNAL_IP \
--key-name ${AWS_SSH_KEY_NAME} \
--security-group-ids $SEC_GROUP_ID \
--security-group-ids ${MASTER_SG_ID} \
--associate-public-ip-address \
--user-data file://${KUBE_TEMP}/master-start.sh | json_val '["Instances"][0]["InstanceId"]')
add-tag $master_id Name $MASTER_NAME
@ -676,7 +770,7 @@ function kube-up {
--subnet-id $SUBNET_ID \
--private-ip-address $INTERNAL_IP_BASE.1${i} \
--key-name ${AWS_SSH_KEY_NAME} \
--security-group-ids $SEC_GROUP_ID \
--security-group-ids ${MINION_SG_ID} \
${public_ip_option} \
--user-data "file://${KUBE_TEMP}/minion-user-data-${i}" | json_val '["Instances"][0]["InstanceId"]')
@ -848,18 +942,38 @@ function kube-down {
echo "Deleting VPC: ${vpc_id}"
default_sg_id=$($AWS_CMD --output text describe-security-groups \
--filters Name=vpc-id,Values=${vpc_id} Name=group-name,Values=default \
--filters Name=vpc-id,Values=${vpc_id} \
Name=group-name,Values=default \
--query SecurityGroups[].GroupId \
| tr "\t" "\n")
sg_ids=$($AWS_CMD --output text describe-security-groups \
--filters Name=vpc-id,Values=${vpc_id} \
Name=tag:KubernetesCluster,Values=${CLUSTER_ID} \
--query SecurityGroups[].GroupId \
| tr "\t" "\n")
# First delete any inter-security group ingress rules
# (otherwise we get dependency violations)
for sg_id in ${sg_ids}; do
# EC2 doesn't let us delete the default security group
if [[ "${sg_id}" != "${default_sg_id}" ]]; then
$AWS_CMD delete-security-group --group-id ${sg_id} > $LOG
if [[ "${sg_id}" == "${default_sg_id}" ]]; then
continue
fi
echo "Cleaning up security group: ${sg_id}"
other_sgids=$(aws ec2 describe-security-groups --group-id "${sg_id}" --query SecurityGroups[].IpPermissions[].UserIdGroupPairs[].GroupId --output text)
for other_sgid in ${other_sgids}; do
$AWS_CMD revoke-security-group-ingress --group-id "${sg_id}" --source-group "${other_sgid}" --protocol all > $LOG
done
done
for sg_id in ${sg_ids}; do
# EC2 doesn't let us delete the default security group
if [[ "${sg_id}" == "${default_sg_id}" ]]; then
continue
fi
echo "Deleting security group: ${sg_id}"
$AWS_CMD delete-security-group --group-id ${sg_id} > $LOG
done
subnet_ids=$($AWS_CMD --output text describe-subnets \
@ -942,12 +1056,25 @@ function test-build-release {
# Assumed vars:
# Variables from config.sh
function test-setup {
VPC_ID=$(get_vpc_id)
detect-security-groups
# Open up port 80 & 8080 so common containers on minions can be reached
# TODO(roberthbailey): Remove this once we are no longer relying on hostPorts.
authorize-security-group-ingress "${MINION_SG_ID}" "--protocol tcp --port 80 --cidr 0.0.0.0/0"
authorize-security-group-ingress "${MINION_SG_ID}" "--protocol tcp --port 8080 --cidr 0.0.0.0/0"
# Open up the NodePort range
# TODO(justinsb): Move to main setup, if we decide whether we want to do this by default.
authorize-security-group-ingress "${MINION_SG_ID}" "--protocol all --port 30000-32767 --cidr 0.0.0.0/0"
echo "test-setup complete"
}
# Execute after running tests to perform any required clean-up. This is called
# from hack/e2e.go
function test-teardown {
# (ingress rules will be deleted along with the security group)
echo "Shutting down test cluster."
"${KUBE_ROOT}/cluster/kube-down.sh"
}

528
pkg/cloudprovider/aws/aws.go
View File

@ -76,11 +76,16 @@ type EC2 interface {
DescribeSecurityGroups(request *ec2.DescribeSecurityGroupsInput) ([]*ec2.SecurityGroup, error)
CreateSecurityGroup(*ec2.CreateSecurityGroupInput) (*ec2.CreateSecurityGroupOutput, error)
DeleteSecurityGroup(request *ec2.DeleteSecurityGroupInput) (*ec2.DeleteSecurityGroupOutput, error)
AuthorizeSecurityGroupIngress(*ec2.AuthorizeSecurityGroupIngressInput) (*ec2.AuthorizeSecurityGroupIngressOutput, error)
RevokeSecurityGroupIngress(*ec2.RevokeSecurityGroupIngressInput) (*ec2.RevokeSecurityGroupIngressOutput, error)
DescribeVPCs(*ec2.DescribeVPCsInput) ([]*ec2.VPC, error)
DescribeSubnets(*ec2.DescribeSubnetsInput) ([]*ec2.Subnet, error)
CreateTags(*ec2.CreateTagsInput) (*ec2.CreateTagsOutput, error)
}
// This is a simple pass-through of the ELB client interface, which allows for testing
@ -360,10 +365,22 @@ func (s *awsSdkEC2) CreateSecurityGroup(request *ec2.CreateSecurityGroupInput) (
return s.ec2.CreateSecurityGroup(request)
}
func (s *awsSdkEC2) DeleteSecurityGroup(request *ec2.DeleteSecurityGroupInput) (*ec2.DeleteSecurityGroupOutput, error) {
return s.ec2.DeleteSecurityGroup(request)
}
func (s *awsSdkEC2) AuthorizeSecurityGroupIngress(request *ec2.AuthorizeSecurityGroupIngressInput) (*ec2.AuthorizeSecurityGroupIngressOutput, error) {
return s.ec2.AuthorizeSecurityGroupIngress(request)
}
func (s *awsSdkEC2) RevokeSecurityGroupIngress(request *ec2.RevokeSecurityGroupIngressInput) (*ec2.RevokeSecurityGroupIngressOutput, error) {
return s.ec2.RevokeSecurityGroupIngress(request)
}
func (s *awsSdkEC2) CreateTags(request *ec2.CreateTagsInput) (*ec2.CreateTagsOutput, error) {
return s.ec2.CreateTags(request)
}
func init() {
cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
creds := credentials.NewChainCredentials(
@ -1367,77 +1384,120 @@ func (self *AWSCloud) findVPC() (*ec2.VPC, error) {
return nil, fmt.Errorf("Found multiple matching VPCs for name: %s", name)
}
// Makes sure the security group allows ingress on the specified ports (with sourceIp & protocol)
// Returns true iff changes were made
// The security group must already exist
func (s *AWSCloud) ensureSecurityGroupIngess(securityGroupId string, sourceIp string, ports []*api.ServicePort) (bool, error) {
// Retrieves the specified security group from the AWS API, or returns nil if not found
func (s *AWSCloud) findSecurityGroup(securityGroupId string) (*ec2.SecurityGroup, error) {
describeSecurityGroupsRequest := &ec2.DescribeSecurityGroupsInput{
GroupIDs: []*string{&securityGroupId},
}
// No filters as querying by id
groups, err := s.ec2.DescribeSecurityGroups(describeSecurityGroupsRequest)
if err != nil {
glog.Warning("error retrieving security group", err)
return nil, err
}
if len(groups) == 0 {
return nil, nil
}
if len(groups) != 1 {
// This should not be possible - ids should be unique
return nil, fmt.Errorf("multiple security groups found with same id")
}
group := groups[0]
return group, nil
}
func isEqualIntPointer(l, r *int64) bool {
if l == nil {
return r == nil
}
if r == nil {
return l == nil
}
return *l == *r
}
func isEqualStringPointer(l, r *string) bool {
if l == nil {
return r == nil
}
if r == nil {
return l == nil
}
return *l == *r
}
func isEqualIPPermission(l, r *ec2.IPPermission) bool {
if !isEqualIntPointer(l.FromPort, r.FromPort) {
return false
}
if !isEqualIntPointer(l.ToPort, r.ToPort) {
return false
}
if !isEqualStringPointer(l.IPProtocol, r.IPProtocol) {
return false
}
if len(l.IPRanges) != len(r.IPRanges) {
return false
}
for j := range l.IPRanges {
if !isEqualStringPointer(l.IPRanges[j].CIDRIP, r.IPRanges[j].CIDRIP) {
return false
}
}
if len(l.UserIDGroupPairs) != len(r.UserIDGroupPairs) {
return false
}
for j := range l.UserIDGroupPairs {
if !isEqualStringPointer(l.UserIDGroupPairs[j].GroupID, r.UserIDGroupPairs[j].GroupID) {
return false
}
if !isEqualStringPointer(l.UserIDGroupPairs[j].UserID, r.UserIDGroupPairs[j].UserID) {
return false
}
}
return true
}
// Makes sure the security group includes the specified permissions
// Returns true iff changes were made
// The security group must already exist
func (s *AWSCloud) ensureSecurityGroupIngess(securityGroupId string, addPermissions []*ec2.IPPermission) (bool, error) {
group, err := s.findSecurityGroup(securityGroupId)
if err != nil {
glog.Warning("error retrieving security group", err)
return false, err
}
if len(groups) == 0 {
// We require that the security group already exist
return false, fmt.Errorf("security group not found")
if group == nil {
return false, fmt.Errorf("security group not found: %s", securityGroupId)
}
if len(groups) != 1 {
// This should not be possible - ids should be unique
return false, fmt.Errorf("multiple security groups found with same id")
}
group := groups[0]
newPermissions := []*ec2.IPPermission{}
for _, port := range ports {
changes := []*ec2.IPPermission{}
for _, addPermission := range addPermissions {
found := false
portInt64 := int64(port.Port)
protocol := strings.ToLower(string(port.Protocol))
for _, permission := range group.IPPermissions {
if permission.FromPort == nil || *permission.FromPort != portInt64 {
continue
for _, groupPermission := range group.IPPermissions {
if isEqualIPPermission(addPermission, groupPermission) {
found = true
break
}
if permission.ToPort == nil || *permission.ToPort != portInt64 {
continue
}
if permission.IPProtocol == nil || *permission.IPProtocol != protocol {
continue
}
if len(permission.IPRanges) != 1 {
continue
}
if orEmpty(permission.IPRanges[0].CIDRIP) != sourceIp {
continue
}
found = true
break
}
if !found {
newPermission := &ec2.IPPermission{}
newPermission.FromPort = &portInt64
newPermission.ToPort = &portInt64
newPermission.IPRanges = []*ec2.IPRange{{CIDRIP: &sourceIp}}
newPermission.IPProtocol = &protocol
newPermissions = append(newPermissions, newPermission)
changes = append(changes, addPermission)
}
}
if len(newPermissions) == 0 {
if len(changes) == 0 {
return false, nil
}
glog.V(2).Infof("Adding security group ingress: %s %v", securityGroupId, newPermissions)
glog.V(2).Infof("Adding security group ingress: %s %v", securityGroupId, changes)
request := &ec2.AuthorizeSecurityGroupIngressInput{}
request.GroupID = &securityGroupId
request.IPPermissions = newPermissions
request.IPPermissions = changes
_, err = s.ec2.AuthorizeSecurityGroupIngress(request)
if err != nil {
glog.Warning("error authorizing security group ingress", err)
@ -1447,6 +1507,111 @@ func (s *AWSCloud) ensureSecurityGroupIngess(securityGroupId string, sourceIp st
return true, nil
}
// Makes sure the security group no longer includes the specified permissions
// Returns true iff changes were made
// Returns true if the security group no longer exists
func (s *AWSCloud) removeSecurityGroupIngess(securityGroupId string, removePermissions []*ec2.IPPermission) (bool, error) {
group, err := s.findSecurityGroup(securityGroupId)
if err != nil {
glog.Warning("error retrieving security group", err)
return false, err
}
if group == nil {
glog.Warning("security group not found: ", securityGroupId)
return false, nil
}
changes := []*ec2.IPPermission{}
for _, removePermission := range removePermissions {
found := false
for _, groupPermission := range group.IPPermissions {
if isEqualIPPermission(groupPermission, removePermission) {
found = true
break
}
}
if found {
changes = append(changes, removePermission)
}
}
if len(changes) == 0 {
return false, nil
}
glog.V(2).Infof("Removing security group ingress: %s %v", securityGroupId, changes)
request := &ec2.RevokeSecurityGroupIngressInput{}
request.GroupID = &securityGroupId
request.IPPermissions = changes
_, err = s.ec2.RevokeSecurityGroupIngress(request)
if err != nil {
glog.Warning("error revoking security group ingress", err)
return false, err
}
return true, nil
}
// Makes sure the security group exists
// Returns the security group id or error
func (s *AWSCloud) ensureSecurityGroup(name string, description string, vpcID string) (string, error) {
request := &ec2.DescribeSecurityGroupsInput{}
filters := []*ec2.Filter{
newEc2Filter("group-name", name),
newEc2Filter("vpc-id", vpcID),
}
request.Filters = s.addFilters(filters)
securityGroups, err := s.ec2.DescribeSecurityGroups(request)
if err != nil {
return "", err
}
if len(securityGroups) >= 1 {
if len(securityGroups) > 1 {
glog.Warning("Found multiple security groups with name:", name)
}
return orEmpty(securityGroups[0].GroupID), nil
}
createRequest := &ec2.CreateSecurityGroupInput{}
createRequest.VPCID = &vpcID
createRequest.GroupName = &name
createRequest.Description = &description
createResponse, err := s.ec2.CreateSecurityGroup(createRequest)
if err != nil {
glog.Error("error creating security group: ", err)
return "", err
}
groupID := orEmpty(createResponse.GroupID)
if groupID == "" {
return "", fmt.Errorf("created security group, but id was not returned: %s", name)
}
tags := []*ec2.Tag{}
for k, v := range s.filterTags {
tag := &ec2.Tag{}
tag.Key = aws.String(k)
tag.Value = aws.String(v)
tags = append(tags, tag)
}
tagRequest := &ec2.CreateTagsInput{}
tagRequest.Resources = []*string{&groupID}
tagRequest.Tags = tags
_, err = s.ec2.CreateTags(tagRequest)
if err != nil {
// Not clear how to recover fully from this; we're OK because we don't match on tags, but that is a little odd
return "", fmt.Errorf("error tagging security group: %v", err)
}
return groupID, nil
}
// CreateTCPLoadBalancer implements TCPLoadBalancer.CreateTCPLoadBalancer
// TODO(justinsb): This must be idempotent
// TODO(justinsb) It is weird that these take a region. I suspect it won't work cross-region anwyay.
@ -1507,6 +1672,37 @@ func (s *AWSCloud) CreateTCPLoadBalancer(name, region string, publicIP net.IP, p
}
}
// Create a security group for the load balancer
var securityGroupID string
{
sgName := "k8s-elb-" + name
sgDescription := "Security group for Kubernetes ELB " + name
securityGroupID, err = s.ensureSecurityGroup(sgName, sgDescription, orEmpty(vpc.VPCID))
if err != nil {
glog.Error("error creating load balancer security group: ", err)
return nil, err
}
permissions := []*ec2.IPPermission{}
for _, port := range ports {
portInt64 := int64(port.Port)
protocol := strings.ToLower(string(port.Protocol))
sourceIp := "0.0.0.0/0"
permission := &ec2.IPPermission{}
permission.FromPort = &portInt64
permission.ToPort = &portInt64
permission.IPRanges = []*ec2.IPRange{{CIDRIP: &sourceIp}}
permission.IPProtocol = &protocol
permissions = append(permissions, permission)
}
_, err = s.ensureSecurityGroupIngess(securityGroupID, permissions)
if err != nil {
return nil, err
}
}
// Build the load balancer itself
var loadBalancer *elb.LoadBalancerDescription
{
@ -1544,49 +1740,12 @@ func (s *AWSCloud) CreateTCPLoadBalancer(name, region string, publicIP net.IP, p
// TODO: What happens if we have more than one subnet per AZ?
createRequest.Subnets = subnetIds
sgName := "k8s-elb-" + name
sgDescription := "Security group for Kubernetes ELB " + name
createRequest.SecurityGroups = []*string{&securityGroupID}
{
describeSecurityGroupsRequest := &ec2.DescribeSecurityGroupsInput{}
filters := []*ec2.Filter{
newEc2Filter("group-name", sgName),
newEc2Filter("vpc-id", orEmpty(vpc.VPCID)),
}
describeSecurityGroupsRequest.Filters = s.addFilters(filters)
securityGroups, err := s.ec2.DescribeSecurityGroups(describeSecurityGroupsRequest)
if err != nil {
return nil, err
}
var securityGroupId *string
for _, securityGroup := range securityGroups {
if securityGroupId != nil {
glog.Warning("Found multiple security groups with name:", sgName)
}
securityGroupId = securityGroup.GroupID
}
if securityGroupId == nil {
createSecurityGroupRequest := &ec2.CreateSecurityGroupInput{}
createSecurityGroupRequest.VPCID = vpc.VPCID
createSecurityGroupRequest.GroupName = &sgName
createSecurityGroupRequest.Description = &sgDescription
createSecurityGroupResponse, err := s.ec2.CreateSecurityGroup(createSecurityGroupRequest)
if err != nil {
glog.Error("error creating security group: ", err)
return nil, err
}
securityGroupId = createSecurityGroupResponse.GroupID
if isNilOrEmpty(securityGroupId) {
return nil, fmt.Errorf("created security group, but id was not returned")
}
}
_, err = s.ensureSecurityGroupIngess(*securityGroupId, "0.0.0.0/0", ports)
if err != nil {
return nil, err
}
createRequest.SecurityGroups = []*string{securityGroupId}
glog.Info("Creating load balancer with name: ", name)
_, err := elbClient.CreateLoadBalancer(createRequest)
if err != nil {
return nil, err
}
loadBalancer, err = s.describeLoadBalancer(region, name)
@ -1599,6 +1758,12 @@ func (s *AWSCloud) CreateTCPLoadBalancer(name, region string, publicIP net.IP, p
}
}
err = s.updateInstanceSecurityGroupsForLoadBalancer(loadBalancer, instances)
if err != nil {
glog.Warning("Error opening ingress rules for the load balancer to the instances: ", err)
return nil, err
}
registerRequest := &elb.RegisterInstancesWithLoadBalancerInput{}
registerRequest.LoadBalancerName = loadBalancer.LoadBalancerName
for _, instance := range instances {
@ -1650,10 +1815,141 @@ func toStatus(lb *elb.LoadBalancerDescription) *api.LoadBalancerStatus {
return status
}
// Returns the first security group for an instance, or nil
// We only create instances with one security group, so we warn if there are multiple or none
func findSecurityGroupForInstance(instance *ec2.Instance) *string {
var securityGroupId *string
for _, securityGroup := range instance.SecurityGroups {
if securityGroup == nil || securityGroup.GroupID == nil {
// Not expected, but avoid panic
glog.Warning("Unexpected empty security group for instance: ", orEmpty(instance.InstanceID))
continue
}
if securityGroupId != nil {
// We create instances with one SG
glog.Warning("Multiple security groups found for instance (%s); will use first group (%s)", orEmpty(instance.InstanceID), *securityGroupId)
continue
} else {
securityGroupId = securityGroup.GroupID
}
}
if securityGroupId == nil {
glog.Warning("No security group found for instance ", orEmpty(instance.InstanceID))
}
return securityGroupId
}
// Open security group ingress rules on the instances so that the load balancer can talk to them
// Will also remove any security groups ingress rules for the load balancer that are _not_ needed for allInstances
func (s *AWSCloud) updateInstanceSecurityGroupsForLoadBalancer(lb *elb.LoadBalancerDescription, allInstances []*ec2.Instance) error {
// Determine the load balancer security group id
loadBalancerSecurityGroupId := ""
for _, securityGroup := range lb.SecurityGroups {
if isNilOrEmpty(securityGroup) {
continue
}
if loadBalancerSecurityGroupId != "" {
// We create LBs with one SG
glog.Warning("Multiple security groups for load balancer: ", orEmpty(lb.LoadBalancerName))
}
loadBalancerSecurityGroupId = *securityGroup
}
if loadBalancerSecurityGroupId == "" {
return fmt.Errorf("Could not determine security group for load balancer: %s", orEmpty(lb.LoadBalancerName))
}
// Get the actual list of groups that allow ingress from the load-balancer
describeRequest := &ec2.DescribeSecurityGroupsInput{}
filters := []*ec2.Filter{}
filters = append(filters, newEc2Filter("ip-permission.group-id", loadBalancerSecurityGroupId))
describeRequest.Filters = s.addFilters(filters)
actualGroups, err := s.ec2.DescribeSecurityGroups(describeRequest)
if err != nil {
return fmt.Errorf("error querying security groups: %v", err)
}
// Open the firewall from the load balancer to the instance
// We don't actually have a trivial way to know in advance which security group the instance is in
// (it is probably the minion security group, but we don't easily have that).
// However, we _do_ have the list of security groups on the instance records.
// Map containing the changes we want to make; true to add, false to remove
instanceSecurityGroupIds := map[string]bool{}
// Scan instances for groups we want open
for _, instance := range allInstances {
securityGroupId := findSecurityGroupForInstance(instance)
if isNilOrEmpty(securityGroupId) {
glog.Warning("ignoring instance without security group: ", orEmpty(instance.InstanceID))
continue
}
instanceSecurityGroupIds[*securityGroupId] = true
}
// Compare to actual groups
for _, actualGroup := range actualGroups {
if isNilOrEmpty(actualGroup.GroupID) {
glog.Warning("ignoring group without ID: ", actualGroup)
continue
}
actualGroupID := *actualGroup.GroupID
adding, found := instanceSecurityGroupIds[actualGroupID]
if found && adding {
// We don't need to make a change; the permission is already in place
delete(instanceSecurityGroupIds, actualGroupID)
} else {
// This group is not needed by allInstances; delete it
instanceSecurityGroupIds[actualGroupID] = false
}
}
for instanceSecurityGroupId, add := range instanceSecurityGroupIds {
if add {
glog.V(2).Infof("Adding rule for traffic from the load balancer (%s) to instances (%s)", loadBalancerSecurityGroupId, instanceSecurityGroupId)
} else {
glog.V(2).Infof("Removing rule for traffic from the load balancer (%s) to instance (%s)", loadBalancerSecurityGroupId, instanceSecurityGroupId)
}
sourceGroupId := &ec2.UserIDGroupPair{}
sourceGroupId.GroupID = &loadBalancerSecurityGroupId
allProtocols := "-1"
permission := &ec2.IPPermission{}
permission.IPProtocol = &allProtocols
permission.UserIDGroupPairs = []*ec2.UserIDGroupPair{sourceGroupId}
permissions := []*ec2.IPPermission{permission}
if add {
changed, err := s.ensureSecurityGroupIngess(instanceSecurityGroupId, permissions)
if err != nil {
return err
}
if !changed {
glog.Warning("allowing ingress was not needed; concurrent change? groupId=", instanceSecurityGroupId)
}
} else {
changed, err := s.removeSecurityGroupIngess(instanceSecurityGroupId, permissions)
if err != nil {
return err
}
if !changed {
glog.Warning("revoking ingress was not needed; concurrent change? groupId=", instanceSecurityGroupId)
}
}
}
return nil
}
// EnsureTCPLoadBalancerDeleted implements TCPLoadBalancer.EnsureTCPLoadBalancerDeleted.
func (s *AWSCloud) EnsureTCPLoadBalancerDeleted(name, region string) error {
// TODO(justinsb): Delete security group
elbClient, err := s.getELBClient(region)
if err != nil {
return err
@ -1669,15 +1965,46 @@ func (s *AWSCloud) EnsureTCPLoadBalancerDeleted(name, region string) error {
return nil
}
request := &elb.DeleteLoadBalancerInput{}
request.LoadBalancerName = lb.LoadBalancerName
_, err = elbClient.DeleteLoadBalancer(request)
if err != nil {
// TODO: Check if error was because load balancer was concurrently deleted
glog.Error("error deleting load balancer: ", err)
return err
{
// De-authorize the load balancer security group from the instances security group
err = s.updateInstanceSecurityGroupsForLoadBalancer(lb, nil)
if err != nil {
glog.Error("error deregistering load balancer from instance security groups: ", err)
return err
}
}
{
// Delete the load balancer itself
request := &elb.DeleteLoadBalancerInput{}
request.LoadBalancerName = lb.LoadBalancerName
_, err = elbClient.DeleteLoadBalancer(request)
if err != nil {
// TODO: Check if error was because load balancer was concurrently deleted
glog.Error("error deleting load balancer: ", err)
return err
}
}
{
// Delete the security group
for _, securityGroupId := range lb.SecurityGroups {
if isNilOrEmpty(securityGroupId) {
glog.Warning("Ignoring empty security group in ", name)
continue
}
request := &ec2.DeleteSecurityGroupInput{}
request.GroupID = securityGroupId
_, err := s.ec2.DeleteSecurityGroup(request)
if err != nil {
glog.Errorf("error deleting security group (%s): %v", orEmpty(securityGroupId), err)
return err
}
}
}
return nil
}
@ -1749,6 +2076,11 @@ func (s *AWSCloud) UpdateTCPLoadBalancer(name, region string, hosts []string) er
}
}
err = s.updateInstanceSecurityGroupsForLoadBalancer(lb, instances)
if err != nil {
return err
}
return nil
}

12
pkg/cloudprovider/aws/aws_test.go
View File

@ -336,10 +336,18 @@ func (ec2 *FakeEC2) CreateSecurityGroup(*ec2.CreateSecurityGroupInput) (*ec2.Cre
panic("Not implemented")
}
func (ec2 *FakeEC2) DeleteSecurityGroup(*ec2.DeleteSecurityGroupInput) (*ec2.DeleteSecurityGroupOutput, error) {
panic("Not implemented")
}
func (ec2 *FakeEC2) AuthorizeSecurityGroupIngress(*ec2.AuthorizeSecurityGroupIngressInput) (*ec2.AuthorizeSecurityGroupIngressOutput, error) {
panic("Not implemented")
}
func (ec2 *FakeEC2) RevokeSecurityGroupIngress(*ec2.RevokeSecurityGroupIngressInput) (*ec2.RevokeSecurityGroupIngressOutput, error) {
panic("Not implemented")
}
func (ec2 *FakeEC2) DescribeVPCs(*ec2.DescribeVPCsInput) ([]*ec2.VPC, error) {
panic("Not implemented")
}
@ -348,6 +356,10 @@ func (ec2 *FakeEC2) DescribeSubnets(*ec2.DescribeSubnetsInput) ([]*ec2.Subnet, e
panic("Not implemented")
}
func (ec2 *FakeEC2) CreateTags(*ec2.CreateTagsInput) (*ec2.CreateTagsOutput, error) {
panic("Not implemented")
}
type FakeELB struct {
aws *FakeAWSServices
}