Merge pull request #42395 from nicksardo/gce-src-ranges

Automatic merge from submit-queue Adding load balancer src cidrs to GCE cloudprovider **What this PR does / why we need it**: As of January 31st, 2018, GCP will be sending health checks and l7 traffic from two CIDRs and legacy health checks from three CIDS. This PR moves them into the cloudprovider package and provides a flag for override. Another PR will need to be address firewall rule creation for external L4 network loadbalancing #40778 **Which issue this PR fixes** Step one of #40778 Step one of https://github.com/kubernetes/ingress/issues/197 **Release note**: ```release-note Add flags to GCE cloud provider to override known L4/L7 proxy & health check source cidrs ```
2025-07-23 03:41:45 +00:00 · 2017-04-12 19:57:43 -07:00 · 2017-04-12 19:57:43 -07:00 · f1c0c0a73c
commit f1c0c0a73c
parent 32600927d9 baab99b823
3 changed files with 53 additions and 4 deletions
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@ -98,6 +98,7 @@ clientset-only
 clientset-path
 cloud-config
 cloud-provider
+cloud-provider-gce-lb-src-cidrs
 cluster-cidr
 cluster-context
 cluster-dns
--- a/pkg/cloudprovider/providers/gce/gce_loadbalancer.go
+++ b/pkg/cloudprovider/providers/gce/gce_loadbalancer.go
@ -17,7 +17,9 @@ limitations under the License.
 package gce

 import (
+	"flag"
 	"fmt"
+	"net"
 	"net/http"
 	"sort"
 	"strconv"
@ -35,6 +37,55 @@ import (
 	compute "google.golang.org/api/compute/v1"
 )

+type cidrs struct {
+	ipn   netsets.IPNet
+	isSet bool
+}
+
+var lbSrcRngsFlag cidrs
+
+func init() {
+	var err error
+	lbSrcRngsFlag.ipn, err = netsets.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"}...)
+	if err != nil {
+		panic("Incorrect default GCE L7 source ranges")
+	}
+
+	flag.Var(&lbSrcRngsFlag, "cloud-provider-gce-lb-src-cidrs", "CIDRS opened in GCE firewall for LB traffic proxy & health checks")
+}
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+func (c *cidrs) String() string {
+	return strings.Join(c.ipn.StringSlice(), ",")
+}
+
+// Set supports a value of CSV or the flag repeated multiple times
+func (c *cidrs) Set(value string) error {
+	// On first Set(), clear the original defaults
+	if !c.isSet {
+		c.isSet = true
+		c.ipn = make(netsets.IPNet)
+	} else {
+		return fmt.Errorf("GCE LB CIDRS have already been set")
+	}
+
+	for _, cidr := range strings.Split(value, ",") {
+		_, ipnet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			return err
+		}
+
+		c.ipn.Insert(ipnet)
+	}
+	return nil
+}
+
+// LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers (l4 & L7)
+// for proxying client requests and performing health checks.
+func LoadBalancerSrcRanges() []string {
+	return lbSrcRngsFlag.ipn.StringSlice()
+}
+
 // GetLoadBalancer is an implementation of LoadBalancer.GetLoadBalancer
 func (gce *GCECloud) GetLoadBalancer(clusterName string, service *v1.Service) (*v1.LoadBalancerStatus, bool, error) {
 	loadBalancerName := cloudprovider.GetLoadBalancerName(service)
--- a/test/e2e/framework/ingress_utils.go
+++ b/test/e2e/framework/ingress_utils.go
@ -78,9 +78,6 @@ const (
 	// Name of the default http backend service
 	defaultBackendName = "default-http-backend"

-	// GCEL7SrcRange is the IP src range from which the GCE L7 performs health checks.
-	GCEL7SrcRange = "130.211.0.0/22"
-
 	// Cloud resources created by the ingress controller older than this
 	// are automatically purged to prevent running out of quota.
 	// TODO(37335): write soak tests and bump this up to a week.
@ -982,7 +979,7 @@ func (j *IngressTestJig) ConstructFirewallForIngress(gceController *GCEIngressCo

 	fw := compute.Firewall{}
 	fw.Name = gceController.GetFirewallRuleName()
-	fw.SourceRanges = []string{GCEL7SrcRange}
+	fw.SourceRanges = gcecloud.LoadBalancerSrcRanges()
 	fw.TargetTags = nodeTags.Items
 	fw.Allowed = []*compute.FirewallAllowed{
 		{