Fix load-balancer firewall messages

2025-07-29 06:27:05 +00:00 · 2015-07-14 11:47:36 -07:00 · 2015-07-14 11:47:36 -07:00 · fe89298c09
commit fe89298c09
parent 43de287427
5 changed files with 33 additions and 40 deletions
--- a/docs/services-firewalls.md
+++ b/docs/services-firewalls.md
@ -29,6 +29,10 @@ well as any provider specific details that may be necessary.
 ### Google Compute Engine
 When using a Service with `spec.type: LoadBalancer`, the firewall will be
 opened automatically.  When using `spec.type: NodePort`, however, the firewall
 is *not* opened by default.
 Google Compute Engine firewalls are documented [elsewhere](https://cloud.google.com/compute/docs/networking#firewalls_1).
 You can add a firewall with the ```gcloud``` command line tool:
@ -40,18 +44,27 @@ gcloud compute firewall-rules create my-rule --allow=tcp:<port>
 **Note**
 There is one important security note when using firewalls on Google Compute Engine:
-Firewalls are defined per-vm, rather than per-ip address.  This means that if you open a firewall for that service's ports,
+as of kubernmetes v1.0.0, GCE firewalls are defined per-vm, rather than per-ip
-anything that serves on that port on that VM's host IP address may potentially serve traffic.
+address.  This means that when you open a firewall for a service's ports,
-
+anything that serves on that port on that VM's host IP address may potentially
-Note that this is not a problem for other Kubernetes services, as they listen on IP addresses that are different than the
+serve traffic.  Note that this is not a problem for other Kubernetes services,
-host node's external IP address.
+as they listen on IP addresses that are different than the host node's external
 IP address.
 Consider:
-   * You create a Service with an external load balancer (IP Address 1.2.3.4) and port 80
+   * You create a Service with an external load balancer (IP Address 1.2.3.4)
-   * You open the firewall for port 80 for all nodes in your cluster, so that the external Service actually can deliver packets to your Service
+     and port 80
-   * You start an nginx server, running on port 80 on the host virtual machine (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on the VM's external IP address.
+   * You open the firewall for port 80 for all nodes in your cluster, so that
     the external Service actually can deliver packets to your Service
   * You start an nginx server, running on port 80 on the host virtual machine
     (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on
     the VM's external IP address.
-Consequently, please be careful when opening firewalls in Google Compute Engine or Google Container Engine.  You may accidentally be exposing other services to the wilds of the internet.
+Consequently, please be careful when opening firewalls in Google Compute Engine
 or Google Container Engine.  You may accidentally be exposing other services to
 the wilds of the internet.
 This will be fixed in an upcoming release of Kubernetes.
 ### Other cloud providers
 Coming soon.
--- a/docs/user-guide/connecting-applications.md
+++ b/docs/user-guide/connecting-applications.md
@ -226,12 +226,11 @@ spec:
  selector:
    app: nginx
 ```
-You should see a similar message informing you about firewall rules on port 80:
+
 ```shell
 $ kubectl delete svc nginxsvc
 $ kubectl create -f nginxsvc.yaml
-An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
+services/nginxsvc
 you will also need to explicitly open a Firewall rule for the service port(s) (tcp:80) to serve traffic.
 $ kubectl get service nginxsvc -o json | grep \"ip\"
 "ip": "104.197.37.222"
--- a/examples/guestbook-go/README.md
+++ b/examples/guestbook-go/README.md
@ -201,9 +201,6 @@ Just like the others, we create a service to group the guestbook pods but this t
 1. Use the [guestbook-service.json](guestbook-service.json) file to create the guestbook service by running the `kubectl create -f` *`filename`* command:
    ```shell
    $ kubectl create -f examples/guestbook-go/guestbook-service.json
 		  An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
          you will also need to explicitly open a Firewall rule for the service port(s) (tcp:3000) to serve traffic.
          See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewall.md for more details.
    ```
@ -231,14 +228,6 @@ You can now play with the guestbook that you just created by opening it in a bro
    2. Append port `3000` to the IP address (for example `http://146.148.81.8:3000`), and then navigate to that address in your browser.
    **Remember:** You might need to open the firewall for port `3000`. 
    If you're using Google Compute Engine, you can use the [Developers Console][cloud-console] or the `gcloud` CLI to open port `3000`. 
    To use the `gcloud` CLI, you can run the following command to allow traffic from any source to instances tagged `kubernetes-minion`:
    ```shell
    $ gcloud compute firewall-rules create --allow=tcp:3000 --target-tags=kubernetes-minion kubernetes-minion-3000
    ```
    Result: The guestbook displays in your browser:
    ![Guestbook](guestbook-page.png)
--- a/pkg/kubectl/cmd/create.go
+++ b/pkg/kubectl/cmd/create.go
@ -121,23 +121,15 @@ func RunCreate(f *cmdutil.Factory, out io.Writer, filenames util.StringList) err
 func printObjectSpecificMessage(obj runtime.Object, out io.Writer) {
 	switch obj := obj.(type) {
 	case *api.Service:
 		if obj.Spec.Type == api.ServiceTypeLoadBalancer {
 			msg := fmt.Sprintf(`
 			An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
 			you will also need to explicitly open a Firewall rule for the service port(s) (%s) to serve traffic.
 			See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
 			`, makePortsString(obj.Spec.Ports, false))
 			out.Write([]byte(msg))
 		}
 		if obj.Spec.Type == api.ServiceTypeNodePort {
-			msg := fmt.Sprintf(`
+			msg := fmt.Sprintf(
-				You have exposed your service on an external port on all nodes in your cluster.
+				`You have exposed your service on an external port on all nodes in your
-				If you want to expose this service to the external internet, you may need to set up
+cluster.  If you want to expose this service to the external internet, you may
-				firewall rules for the service port(s) (%s) to serve traffic.
+need to set up firewall rules for the service port(s) (%s) to serve traffic.
-				
+
-				See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
+See http://releases.k8s.io/HEAD/docs/services-firewalls.md for more details.
-				`, makePortsString(obj.Spec.Ports, true))
+`,
 				makePortsString(obj.Spec.Ports, true))
 			out.Write([]byte(msg))
 		}
 	}
--- a/pkg/kubectl/cmd/create_test.go
+++ b/pkg/kubectl/cmd/create_test.go
@ -147,7 +147,7 @@ func TestPrintObjectSpecificMessage(t *testing.T) {
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeLoadBalancer}},
-			expectOutput: true,
+			expectOutput: false,
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeNodePort}},