diff --git a/docs/services-firewalls.md b/docs/services-firewalls.md index a31f5dff213..e1e2b5aee29 100644 --- a/docs/services-firewalls.md +++ b/docs/services-firewalls.md @@ -29,6 +29,10 @@ well as any provider specific details that may be necessary. ### Google Compute Engine +When using a Service with `spec.type: LoadBalancer`, the firewall will be +opened automatically. When using `spec.type: NodePort`, however, the firewall +is *not* opened by default. + Google Compute Engine firewalls are documented [elsewhere](https://cloud.google.com/compute/docs/networking#firewalls_1). You can add a firewall with the ```gcloud``` command line tool: @@ -40,18 +44,27 @@ gcloud compute firewall-rules create my-rule --allow=tcp: **Note** There is one important security note when using firewalls on Google Compute Engine: -Firewalls are defined per-vm, rather than per-ip address. This means that if you open a firewall for that service's ports, -anything that serves on that port on that VM's host IP address may potentially serve traffic. - -Note that this is not a problem for other Kubernetes services, as they listen on IP addresses that are different than the -host node's external IP address. +as of kubernmetes v1.0.0, GCE firewalls are defined per-vm, rather than per-ip +address. This means that when you open a firewall for a service's ports, +anything that serves on that port on that VM's host IP address may potentially +serve traffic. Note that this is not a problem for other Kubernetes services, +as they listen on IP addresses that are different than the host node's external +IP address. Consider: - * You create a Service with an external load balancer (IP Address 1.2.3.4) and port 80 - * You open the firewall for port 80 for all nodes in your cluster, so that the external Service actually can deliver packets to your Service - * You start an nginx server, running on port 80 on the host virtual machine (IP Address 2.3.4.5). This nginx is **also** exposed to the internet on the VM's external IP address. + * You create a Service with an external load balancer (IP Address 1.2.3.4) + and port 80 + * You open the firewall for port 80 for all nodes in your cluster, so that + the external Service actually can deliver packets to your Service + * You start an nginx server, running on port 80 on the host virtual machine + (IP Address 2.3.4.5). This nginx is **also** exposed to the internet on + the VM's external IP address. -Consequently, please be careful when opening firewalls in Google Compute Engine or Google Container Engine. You may accidentally be exposing other services to the wilds of the internet. +Consequently, please be careful when opening firewalls in Google Compute Engine +or Google Container Engine. You may accidentally be exposing other services to +the wilds of the internet. + +This will be fixed in an upcoming release of Kubernetes. ### Other cloud providers Coming soon. diff --git a/docs/user-guide/connecting-applications.md b/docs/user-guide/connecting-applications.md index 3e1d956f7cb..e81682e1178 100644 --- a/docs/user-guide/connecting-applications.md +++ b/docs/user-guide/connecting-applications.md @@ -226,12 +226,11 @@ spec: selector: app: nginx ``` -You should see a similar message informing you about firewall rules on port 80: + ```shell $ kubectl delete svc nginxsvc $ kubectl create -f nginxsvc.yaml -An external load-balanced service was created. On many platforms (e.g. Google Compute Engine), -you will also need to explicitly open a Firewall rule for the service port(s) (tcp:80) to serve traffic. +services/nginxsvc $ kubectl get service nginxsvc -o json | grep \"ip\" "ip": "104.197.37.222" diff --git a/examples/guestbook-go/README.md b/examples/guestbook-go/README.md index 2be61e8d902..3bc72d02bff 100644 --- a/examples/guestbook-go/README.md +++ b/examples/guestbook-go/README.md @@ -201,9 +201,6 @@ Just like the others, we create a service to group the guestbook pods but this t 1. Use the [guestbook-service.json](guestbook-service.json) file to create the guestbook service by running the `kubectl create -f` *`filename`* command: ```shell $ kubectl create -f examples/guestbook-go/guestbook-service.json - An external load-balanced service was created. On many platforms (e.g. Google Compute Engine), - you will also need to explicitly open a Firewall rule for the service port(s) (tcp:3000) to serve traffic. - See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewall.md for more details. ``` @@ -231,14 +228,6 @@ You can now play with the guestbook that you just created by opening it in a bro 2. Append port `3000` to the IP address (for example `http://146.148.81.8:3000`), and then navigate to that address in your browser. - **Remember:** You might need to open the firewall for port `3000`. - If you're using Google Compute Engine, you can use the [Developers Console][cloud-console] or the `gcloud` CLI to open port `3000`. - - To use the `gcloud` CLI, you can run the following command to allow traffic from any source to instances tagged `kubernetes-minion`: - ```shell - $ gcloud compute firewall-rules create --allow=tcp:3000 --target-tags=kubernetes-minion kubernetes-minion-3000 - ``` - Result: The guestbook displays in your browser: ![Guestbook](guestbook-page.png) diff --git a/pkg/kubectl/cmd/create.go b/pkg/kubectl/cmd/create.go index 199b07cd74d..7415291997f 100644 --- a/pkg/kubectl/cmd/create.go +++ b/pkg/kubectl/cmd/create.go @@ -121,23 +121,15 @@ func RunCreate(f *cmdutil.Factory, out io.Writer, filenames util.StringList) err func printObjectSpecificMessage(obj runtime.Object, out io.Writer) { switch obj := obj.(type) { case *api.Service: - if obj.Spec.Type == api.ServiceTypeLoadBalancer { - msg := fmt.Sprintf(` - An external load-balanced service was created. On many platforms (e.g. Google Compute Engine), - you will also need to explicitly open a Firewall rule for the service port(s) (%s) to serve traffic. - - See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details. - `, makePortsString(obj.Spec.Ports, false)) - out.Write([]byte(msg)) - } if obj.Spec.Type == api.ServiceTypeNodePort { - msg := fmt.Sprintf(` - You have exposed your service on an external port on all nodes in your cluster. - If you want to expose this service to the external internet, you may need to set up - firewall rules for the service port(s) (%s) to serve traffic. - - See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details. - `, makePortsString(obj.Spec.Ports, true)) + msg := fmt.Sprintf( + `You have exposed your service on an external port on all nodes in your +cluster. If you want to expose this service to the external internet, you may +need to set up firewall rules for the service port(s) (%s) to serve traffic. + +See http://releases.k8s.io/HEAD/docs/services-firewalls.md for more details. +`, + makePortsString(obj.Spec.Ports, true)) out.Write([]byte(msg)) } } diff --git a/pkg/kubectl/cmd/create_test.go b/pkg/kubectl/cmd/create_test.go index 82c527b04e9..29cfc416a2d 100644 --- a/pkg/kubectl/cmd/create_test.go +++ b/pkg/kubectl/cmd/create_test.go @@ -147,7 +147,7 @@ func TestPrintObjectSpecificMessage(t *testing.T) { }, { obj: &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeLoadBalancer}}, - expectOutput: true, + expectOutput: false, }, { obj: &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeNodePort}},