From aa8b2c122f3eab3d5aada4360e3c9b54e623390f Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Fri, 5 Jun 2020 09:15:47 -0700 Subject: [PATCH] set dest prefix and port for IPv6 sg rule --- .../azure/azure_loadbalancer.go | 11 ++++++- .../azure/azure_loadbalancer_test.go | 30 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer.go index 6dc92fa0bfb..a1baf25cff7 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer.go @@ -1158,6 +1158,8 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service, } expectedSecurityRules := []network.SecurityRule{} + ipv6 := utilnet.IsIPv6String(service.Spec.ClusterIP) + if wantLb { expectedSecurityRules = make([]network.SecurityRule, len(ports)*len(sourceAddressPrefixes)) @@ -1169,7 +1171,7 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service, for j := range sourceAddressPrefixes { ix := i*len(sourceAddressPrefixes) + j securityRuleName := az.getSecurityRuleName(service, port, sourceAddressPrefixes[j]) - expectedSecurityRules[ix] = network.SecurityRule{ + securityRule := network.SecurityRule{ Name: to.StringPtr(securityRuleName), SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{ Protocol: *securityProto, @@ -1181,6 +1183,13 @@ func (az *Cloud) reconcileSecurityGroup(clusterName string, service *v1.Service, Direction: network.SecurityRuleDirectionInbound, }, } + // For IPv6, the destination port needs to be node port and Destination Any as floating IPs + // not supported for IPv6 + if ipv6 { + securityRule.SecurityRulePropertiesFormat.DestinationPortRange = to.StringPtr(strconv.Itoa(int(port.NodePort))) + securityRule.SecurityRulePropertiesFormat.DestinationAddressPrefix = to.StringPtr("*") + } + expectedSecurityRules[ix] = securityRule } } } diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer_test.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer_test.go index f4a82b82131..73cf7d6a129 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer_test.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_loadbalancer_test.go @@ -1861,6 +1861,36 @@ func TestReconcileSecurityGroup(t *testing.T) { }, }, }, + { + desc: "reconcileSecurityGroup shall create sgs with correct destinationPrefix for IPv6", + service: getTestService("test1", v1.ProtocolTCP, nil, true, 80), + existingSgs: map[string]network.SecurityGroup{"nsg": { + Name: to.StringPtr("nsg"), + SecurityGroupPropertiesFormat: &network.SecurityGroupPropertiesFormat{}, + }}, + lbIP: to.StringPtr("fd00::eef0"), + wantLb: true, + expectedSg: &network.SecurityGroup{ + Name: to.StringPtr("nsg"), + SecurityGroupPropertiesFormat: &network.SecurityGroupPropertiesFormat{ + SecurityRules: &[]network.SecurityRule{ + { + Name: to.StringPtr("atest1-TCP-80-Internet"), + SecurityRulePropertiesFormat: &network.SecurityRulePropertiesFormat{ + Protocol: network.SecurityRuleProtocol("Tcp"), + SourcePortRange: to.StringPtr("*"), + DestinationPortRange: to.StringPtr("10080"), + SourceAddressPrefix: to.StringPtr("Internet"), + DestinationAddressPrefix: to.StringPtr("*"), + Access: network.SecurityRuleAccess("Allow"), + Priority: to.Int32Ptr(500), + Direction: network.SecurityRuleDirection("Inbound"), + }, + }, + }, + }, + }, + }, } for i, test := range testCases {