github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-14 05:36:12 +00:00
Code Issues Projects Releases Wiki Activity

Automatically open a firewall when creating a GCE load balancer.

Browse Source
This commit is contained in:
Brendan Burns
2015-07-08 22:02:10 -07:00
parent 869df32d00
commit a8f02e5472
6 changed files with 102 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/api/validation/validation.go
View File

@@ -1039,6 +1039,14 @@ func ValidateService(service *api.Service) errs.ValidationErrorList {
if len(service.Spec.Ports) == 0 {
allErrs = append(allErrs, errs.NewFieldRequired("spec.ports"))
}
if service.Spec.Type == api.ServiceTypeLoadBalancer {
for ix := range service.Spec.Ports {
port := &service.Spec.Ports[ix]
if port.Port == 10250 {
allErrs = append(allErrs, errs.NewFieldInvalid(fmt.Sprintf("spec.ports[%d].port", ix), port.Port, "can not expose port 10250 externally since it is used by kubelet"))
}
}
}
allPortNames := util.StringSet{}
for i := range service.Spec.Ports {
allErrs = append(allErrs, validateServicePort(&service.Spec.Ports[i], len(service.Spec.Ports) > 1, &allPortNames).PrefixIndex(i).Prefix("spec.ports")...)

10
pkg/api/validation/validation_test.go
View File

@@ -1833,6 +1833,16 @@ func TestValidateService(t *testing.T) {
},
numErrs: 0,
},
{
// For now we open firewalls, and its insecure if we open 10250, remove this
// when we have better protections in place.
name: "invalid port type=LoadBalancer",
tweakSvc: func(s *api.Service) {
s.Spec.Type = api.ServiceTypeLoadBalancer
s.Spec.Ports = append(s.Spec.Ports, api.ServicePort{Name: "kubelet", Port: 10250, Protocol: "TCP", TargetPort: util.NewIntOrStringFromInt(12345)})
},
numErrs: 1,
},
}
for _, tc := range testCases {