Fix load-balancer firewall messages

2025-07-23 19:56:01 +00:00 · 2015-07-14 11:47:36 -07:00 · 2015-07-14 11:47:36 -07:00 · fe89298c09
commit fe89298c09
parent 43de287427
5 changed files with 33 additions and 40 deletions
--- a/docs/services-firewalls.md
+++ b/docs/services-firewalls.md
@ -29,6 +29,10 @@ well as any provider specific details that may be necessary.


 ### Google Compute Engine
+When using a Service with `spec.type: LoadBalancer`, the firewall will be
+opened automatically.  When using `spec.type: NodePort`, however, the firewall
+is *not* opened by default.
+
 Google Compute Engine firewalls are documented [elsewhere](https://cloud.google.com/compute/docs/networking#firewalls_1).

 You can add a firewall with the ```gcloud``` command line tool:
@ -40,18 +44,27 @@ gcloud compute firewall-rules create my-rule --allow=tcp:<port>
 **Note**
 There is one important security note when using firewalls on Google Compute Engine:

-Firewalls are defined per-vm, rather than per-ip address.  This means that if you open a firewall for that service's ports,
-anything that serves on that port on that VM's host IP address may potentially serve traffic.
-
-Note that this is not a problem for other Kubernetes services, as they listen on IP addresses that are different than the
-host node's external IP address.
+as of kubernmetes v1.0.0, GCE firewalls are defined per-vm, rather than per-ip
+address.  This means that when you open a firewall for a service's ports,
+anything that serves on that port on that VM's host IP address may potentially
+serve traffic.  Note that this is not a problem for other Kubernetes services,
+as they listen on IP addresses that are different than the host node's external
+IP address.

 Consider:
-   * You create a Service with an external load balancer (IP Address 1.2.3.4) and port 80
-   * You open the firewall for port 80 for all nodes in your cluster, so that the external Service actually can deliver packets to your Service
-   * You start an nginx server, running on port 80 on the host virtual machine (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on the VM's external IP address.
+   * You create a Service with an external load balancer (IP Address 1.2.3.4)
+     and port 80
+   * You open the firewall for port 80 for all nodes in your cluster, so that
+     the external Service actually can deliver packets to your Service
+   * You start an nginx server, running on port 80 on the host virtual machine
+     (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on
+     the VM's external IP address.

-Consequently, please be careful when opening firewalls in Google Compute Engine or Google Container Engine.  You may accidentally be exposing other services to the wilds of the internet.
+Consequently, please be careful when opening firewalls in Google Compute Engine
+or Google Container Engine.  You may accidentally be exposing other services to
+the wilds of the internet.
+
+This will be fixed in an upcoming release of Kubernetes.

 ### Other cloud providers
 Coming soon.
--- a/docs/user-guide/connecting-applications.md
+++ b/docs/user-guide/connecting-applications.md
@ -226,12 +226,11 @@ spec:
  selector:
    app: nginx
 ```
-You should see a similar message informing you about firewall rules on port 80:
+
 ```shell
 $ kubectl delete svc nginxsvc
 $ kubectl create -f nginxsvc.yaml
-An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
-you will also need to explicitly open a Firewall rule for the service port(s) (tcp:80) to serve traffic.
+services/nginxsvc

 $ kubectl get service nginxsvc -o json | grep \"ip\"
 "ip": "104.197.37.222"
--- a/examples/guestbook-go/README.md
+++ b/examples/guestbook-go/README.md
@ -201,9 +201,6 @@ Just like the others, we create a service to group the guestbook pods but this t
 1. Use the [guestbook-service.json](guestbook-service.json) file to create the guestbook service by running the `kubectl create -f` *`filename`* command:
    ```shell
    $ kubectl create -f examples/guestbook-go/guestbook-service.json
-		  An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
-          you will also need to explicitly open a Firewall rule for the service port(s) (tcp:3000) to serve traffic.
-          See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewall.md for more details.
    ```


@ -231,14 +228,6 @@ You can now play with the guestbook that you just created by opening it in a bro

    2. Append port `3000` to the IP address (for example `http://146.148.81.8:3000`), and then navigate to that address in your browser.

-    **Remember:** You might need to open the firewall for port `3000`. 
-    If you're using Google Compute Engine, you can use the [Developers Console][cloud-console] or the `gcloud` CLI to open port `3000`. 
-
-    To use the `gcloud` CLI, you can run the following command to allow traffic from any source to instances tagged `kubernetes-minion`:
-    ```shell
-    $ gcloud compute firewall-rules create --allow=tcp:3000 --target-tags=kubernetes-minion kubernetes-minion-3000
-    ```
-
    Result: The guestbook displays in your browser:

    ![Guestbook](guestbook-page.png)
--- a/pkg/kubectl/cmd/create.go
+++ b/pkg/kubectl/cmd/create.go
@ -121,23 +121,15 @@ func RunCreate(f *cmdutil.Factory, out io.Writer, filenames util.StringList) err
 func printObjectSpecificMessage(obj runtime.Object, out io.Writer) {
 	switch obj := obj.(type) {
 	case *api.Service:
-		if obj.Spec.Type == api.ServiceTypeLoadBalancer {
-			msg := fmt.Sprintf(`
-			An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
-			you will also need to explicitly open a Firewall rule for the service port(s) (%s) to serve traffic.
-
-			See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
-			`, makePortsString(obj.Spec.Ports, false))
-			out.Write([]byte(msg))
-		}
 		if obj.Spec.Type == api.ServiceTypeNodePort {
-			msg := fmt.Sprintf(`
-				You have exposed your service on an external port on all nodes in your cluster.
-				If you want to expose this service to the external internet, you may need to set up
-				firewall rules for the service port(s) (%s) to serve traffic.
-				
-				See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
-				`, makePortsString(obj.Spec.Ports, true))
+			msg := fmt.Sprintf(
+				`You have exposed your service on an external port on all nodes in your
+cluster.  If you want to expose this service to the external internet, you may
+need to set up firewall rules for the service port(s) (%s) to serve traffic.
+
+See http://releases.k8s.io/HEAD/docs/services-firewalls.md for more details.
+`,
+				makePortsString(obj.Spec.Ports, true))
 			out.Write([]byte(msg))
 		}
 	}
--- a/pkg/kubectl/cmd/create_test.go
+++ b/pkg/kubectl/cmd/create_test.go
@ -147,7 +147,7 @@ func TestPrintObjectSpecificMessage(t *testing.T) {
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeLoadBalancer}},
-			expectOutput: true,
+			expectOutput: false,
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeNodePort}},