github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #92599 from nilo19/bug/delete-default-lb-source-range

Browse Source 
Delete default load balancer source range (0.0.0.0/0) to prevent redundant network security rules.
This commit is contained in:
Kubernetes Prow Robot 2020-06-30 00:03:55 -07:00 committed by GitHub
commit 9fb34edded
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer.go
View File

@ -102,6 +102,8 @@ const (
serviceTagKey = "service" serviceTagKey = "service"
// clusterNameKey is the cluster name key applied for public IP tags. // clusterNameKey is the cluster name key applied for public IP tags.
clusterNameKey = "kubernetes-cluster-name" clusterNameKey = "kubernetes-cluster-name"
defaultLoadBalancerSourceRanges = "0.0.0.0/0"
) )
// GetLoadBalancer returns whether the specified load balancer and its components exist, and // GetLoadBalancer returns whether the specified load balancer and its components exist, and
@ -1130,6 +1132,7 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service,
if lbIP != nil { if lbIP != nil {
destinationIPAddress = *lbIP destinationIPAddress = *lbIP
} }
if destinationIPAddress == "" { if destinationIPAddress == "" {
destinationIPAddress = "*" destinationIPAddress = "*"
} }
@ -1139,6 +1142,12 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service,
return nil, err return nil, err
} }
serviceTags := getServiceTags(service) serviceTags := getServiceTags(service)
if len(serviceTags) != 0 {
if _, ok := sourceRanges[defaultLoadBalancerSourceRanges]; ok {
delete(sourceRanges, defaultLoadBalancerSourceRanges)
}
}
var sourceAddressPrefixes []string var sourceAddressPrefixes []string
if (sourceRanges == nil || servicehelpers.IsAllowAll(sourceRanges)) && len(serviceTags) == 0 { if (sourceRanges == nil || servicehelpers.IsAllowAll(sourceRanges)) && len(serviceTags) == 0 {
if !requiresInternalLoadBalancer(service) { if !requiresInternalLoadBalancer(service) {

42
staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer_test.go
View File

@ -1891,6 +1891,48 @@ func TestReconcileSecurityGroup(t *testing.T) {
}, },
}, },
}, },
{
desc: "reconcileSecurityGroup shall not create unwanted security rules if there is service tags",
service: getTestService("test1", v1.ProtocolTCP, map[string]string{ServiceAnnotationAllowedServiceTag: "tag"}, true, 80),
wantLb: true,
lbIP: to.StringPtr("1.1.1.1"),
existingSgs: map[string]network.SecurityGroup{"nsg": {
Name: to.StringPtr("nsg"),
SecurityGroupPropertiesFormat: &network.SecurityGroupPropertiesFormat{
SecurityRules: &[]network.SecurityRule{
{
Name: to.StringPtr("atest1-toBeDeleted"),
SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
SourceAddressPrefix: to.StringPtr("prefix"),
SourcePortRange: to.StringPtr("range"),
DestinationAddressPrefix: to.StringPtr("desPrefix"),
DestinationPortRange: to.StringPtr("desRange"),
},
},
},
},
}},
expectedSg: &network.SecurityGroup{
Name: to.StringPtr("nsg"),
SecurityGroupPropertiesFormat: &network.SecurityGroupPropertiesFormat{
SecurityRules: &[]network.SecurityRule{
{
Name: to.StringPtr("atest1-TCP-80-tag"),
SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{
Protocol: network.SecurityRuleProtocol("Tcp"),
SourcePortRange: to.StringPtr("*"),
DestinationPortRange: to.StringPtr("80"),
SourceAddressPrefix: to.StringPtr("tag"),
DestinationAddressPrefix: to.StringPtr("1.1.1.1"),
Access: network.SecurityRuleAccess("Allow"),
Priority: to.Int32Ptr(500),
Direction: network.SecurityRuleDirection("Inbound"),
},
},
},
},
},
},
} }
for i, test := range testCases { for i, test := range testCases {