diff --git a/test/e2e/framework/firewall_util.go b/test/e2e/framework/firewall_util.go index e6e4e1651c8..3eb25cb0ebe 100644 --- a/test/e2e/framework/firewall_util.go +++ b/test/e2e/framework/firewall_util.go @@ -124,6 +124,16 @@ func SetInstanceTags(cloudConfig CloudConfig, instanceName, zone string, tags [] return resTags.Items } +// GetNodeTags gets k8s node tag from one of the nodes +func GetNodeTags(c clientset.Interface, cloudConfig CloudConfig) []string { + nodes := GetReadySchedulableNodesOrDie(c) + if len(nodes.Items) == 0 { + Logf("GetNodeTags: Found 0 node.") + return []string{} + } + return GetInstanceTags(cloudConfig, nodes.Items[0].Name).Items +} + // GetInstancePrefix returns the INSTANCE_PREFIX env we set for e2e cluster. // From cluster/gce/config-test.sh, master name is set up using below format: // MASTER_NAME="${INSTANCE_PREFIX}-master" diff --git a/test/e2e/framework/ingress_utils.go b/test/e2e/framework/ingress_utils.go index 64ab85b2cf8..f0d22636ff5 100644 --- a/test/e2e/framework/ingress_utils.go +++ b/test/e2e/framework/ingress_utils.go @@ -976,13 +976,13 @@ func (j *IngressTestJig) GetIngressNodePorts() []string { } // ConstructFirewallForIngress returns the expected GCE firewall rule for the ingress resource -func (j *IngressTestJig) ConstructFirewallForIngress(gceController *GCEIngressController, nodeTag string) *compute.Firewall { +func (j *IngressTestJig) ConstructFirewallForIngress(gceController *GCEIngressController, nodeTags []string) *compute.Firewall { nodePorts := j.GetIngressNodePorts() fw := compute.Firewall{} fw.Name = gceController.GetFirewallRuleName() fw.SourceRanges = gcecloud.LoadBalancerSrcRanges() - fw.TargetTags = []string{nodeTag} + fw.TargetTags = nodeTags fw.Allowed = []*compute.FirewallAllowed{ { IPProtocol: "tcp", diff --git a/test/e2e/ingress.go b/test/e2e/ingress.go index 70199d04741..0b21bc030e2 100644 --- a/test/e2e/ingress.go +++ b/test/e2e/ingress.go @@ -124,7 +124,12 @@ var _ = framework.KubeDescribe("Loadbalancing: L7", func() { By("should have correct firewall rule for ingress") fw := gceController.GetFirewallRule() - expFw := jig.ConstructFirewallForIngress(gceController, cloudConfig.NodeTag) + nodeTags := []string{cloudConfig.NodeTag} + if framework.TestContext.Provider != "gce" { + // nodeTags would be different in GKE. + nodeTags = framework.GetNodeTags(jig.Client, cloudConfig) + } + expFw := jig.ConstructFirewallForIngress(gceController, nodeTags) // Passed the last argument as `true` to verify the backend ports is a subset // of the allowed ports in firewall rule, given there may be other existing // ingress resources and backends we are not aware of.