diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index 959513bc699..93f6781b97c 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -98,6 +98,7 @@ clientset-only clientset-path cloud-config cloud-provider +cloud-provider-gce-lb-src-cidrs cluster-cidr cluster-context cluster-dns diff --git a/pkg/cloudprovider/providers/gce/gce_loadbalancer.go b/pkg/cloudprovider/providers/gce/gce_loadbalancer.go index 56c8ae4a8fc..088316446d1 100644 --- a/pkg/cloudprovider/providers/gce/gce_loadbalancer.go +++ b/pkg/cloudprovider/providers/gce/gce_loadbalancer.go @@ -17,7 +17,9 @@ limitations under the License. package gce import ( + "flag" "fmt" + "net" "net/http" "sort" "strconv" @@ -35,6 +37,55 @@ import ( compute "google.golang.org/api/compute/v1" ) +type cidrs struct { + ipn netsets.IPNet + isSet bool +} + +var lbSrcRngsFlag cidrs + +func init() { + var err error + lbSrcRngsFlag.ipn, err = netsets.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"}...) + if err != nil { + panic("Incorrect default GCE L7 source ranges") + } + + flag.Var(&lbSrcRngsFlag, "cloud-provider-gce-lb-src-cidrs", "CIDRS opened in GCE firewall for LB traffic proxy & health checks") +} + +// String is the method to format the flag's value, part of the flag.Value interface. +func (c *cidrs) String() string { + return strings.Join(c.ipn.StringSlice(), ",") +} + +// Set supports a value of CSV or the flag repeated multiple times +func (c *cidrs) Set(value string) error { + // On first Set(), clear the original defaults + if !c.isSet { + c.isSet = true + c.ipn = make(netsets.IPNet) + } else { + return fmt.Errorf("GCE LB CIDRS have already been set") + } + + for _, cidr := range strings.Split(value, ",") { + _, ipnet, err := net.ParseCIDR(cidr) + if err != nil { + return err + } + + c.ipn.Insert(ipnet) + } + return nil +} + +// LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers (l4 & L7) +// for proxying client requests and performing health checks. +func LoadBalancerSrcRanges() []string { + return lbSrcRngsFlag.ipn.StringSlice() +} + // GetLoadBalancer is an implementation of LoadBalancer.GetLoadBalancer func (gce *GCECloud) GetLoadBalancer(clusterName string, service *v1.Service) (*v1.LoadBalancerStatus, bool, error) { loadBalancerName := cloudprovider.GetLoadBalancerName(service) diff --git a/test/e2e/framework/ingress_utils.go b/test/e2e/framework/ingress_utils.go index 06c4bf40c0c..c801329fbd4 100644 --- a/test/e2e/framework/ingress_utils.go +++ b/test/e2e/framework/ingress_utils.go @@ -78,9 +78,6 @@ const ( // Name of the default http backend service defaultBackendName = "default-http-backend" - // GCEL7SrcRange is the IP src range from which the GCE L7 performs health checks. - GCEL7SrcRange = "130.211.0.0/22" - // Cloud resources created by the ingress controller older than this // are automatically purged to prevent running out of quota. // TODO(37335): write soak tests and bump this up to a week. @@ -982,7 +979,7 @@ func (j *IngressTestJig) ConstructFirewallForIngress(gceController *GCEIngressCo fw := compute.Firewall{} fw.Name = gceController.GetFirewallRuleName() - fw.SourceRanges = []string{GCEL7SrcRange} + fw.SourceRanges = gcecloud.LoadBalancerSrcRanges() fw.TargetTags = nodeTags.Items fw.Allowed = []*compute.FirewallAllowed{ {