Merge pull request #42395 from nicksardo/gce-src-ranges
Automatic merge from submit-queue Adding load balancer src cidrs to GCE cloudprovider **What this PR does / why we need it**: As of January 31st, 2018, GCP will be sending health checks and l7 traffic from two CIDRs and legacy health checks from three CIDS. This PR moves them into the cloudprovider package and provides a flag for override. Another PR will need to be address firewall rule creation for external L4 network loadbalancing #40778 **Which issue this PR fixes** Step one of #40778 Step one of https://github.com/kubernetes/ingress/issues/197 **Release note**: ```release-note Add flags to GCE cloud provider to override known L4/L7 proxy & health check source cidrs ```
This commit is contained in:
@@ -98,6 +98,7 @@ clientset-only
|
|||||||
clientset-path
|
clientset-path
|
||||||
cloud-config
|
cloud-config
|
||||||
cloud-provider
|
cloud-provider
|
||||||
|
cloud-provider-gce-lb-src-cidrs
|
||||||
cluster-cidr
|
cluster-cidr
|
||||||
cluster-context
|
cluster-context
|
||||||
cluster-dns
|
cluster-dns
|
||||||
|
@@ -17,7 +17,9 @@ limitations under the License.
|
|||||||
package gce
|
package gce
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"sort"
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
@@ -35,6 +37,55 @@ import (
|
|||||||
compute "google.golang.org/api/compute/v1"
|
compute "google.golang.org/api/compute/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type cidrs struct {
|
||||||
|
ipn netsets.IPNet
|
||||||
|
isSet bool
|
||||||
|
}
|
||||||
|
|
||||||
|
var lbSrcRngsFlag cidrs
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
var err error
|
||||||
|
lbSrcRngsFlag.ipn, err = netsets.ParseIPNets([]string{"130.211.0.0/22", "35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "35.191.0.0/16"}...)
|
||||||
|
if err != nil {
|
||||||
|
panic("Incorrect default GCE L7 source ranges")
|
||||||
|
}
|
||||||
|
|
||||||
|
flag.Var(&lbSrcRngsFlag, "cloud-provider-gce-lb-src-cidrs", "CIDRS opened in GCE firewall for LB traffic proxy & health checks")
|
||||||
|
}
|
||||||
|
|
||||||
|
// String is the method to format the flag's value, part of the flag.Value interface.
|
||||||
|
func (c *cidrs) String() string {
|
||||||
|
return strings.Join(c.ipn.StringSlice(), ",")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set supports a value of CSV or the flag repeated multiple times
|
||||||
|
func (c *cidrs) Set(value string) error {
|
||||||
|
// On first Set(), clear the original defaults
|
||||||
|
if !c.isSet {
|
||||||
|
c.isSet = true
|
||||||
|
c.ipn = make(netsets.IPNet)
|
||||||
|
} else {
|
||||||
|
return fmt.Errorf("GCE LB CIDRS have already been set")
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, cidr := range strings.Split(value, ",") {
|
||||||
|
_, ipnet, err := net.ParseCIDR(cidr)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
c.ipn.Insert(ipnet)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// LoadBalancerSrcRanges contains the ranges of ips used by the GCE load balancers (l4 & L7)
|
||||||
|
// for proxying client requests and performing health checks.
|
||||||
|
func LoadBalancerSrcRanges() []string {
|
||||||
|
return lbSrcRngsFlag.ipn.StringSlice()
|
||||||
|
}
|
||||||
|
|
||||||
// GetLoadBalancer is an implementation of LoadBalancer.GetLoadBalancer
|
// GetLoadBalancer is an implementation of LoadBalancer.GetLoadBalancer
|
||||||
func (gce *GCECloud) GetLoadBalancer(clusterName string, service *v1.Service) (*v1.LoadBalancerStatus, bool, error) {
|
func (gce *GCECloud) GetLoadBalancer(clusterName string, service *v1.Service) (*v1.LoadBalancerStatus, bool, error) {
|
||||||
loadBalancerName := cloudprovider.GetLoadBalancerName(service)
|
loadBalancerName := cloudprovider.GetLoadBalancerName(service)
|
||||||
|
@@ -78,9 +78,6 @@ const (
|
|||||||
// Name of the default http backend service
|
// Name of the default http backend service
|
||||||
defaultBackendName = "default-http-backend"
|
defaultBackendName = "default-http-backend"
|
||||||
|
|
||||||
// GCEL7SrcRange is the IP src range from which the GCE L7 performs health checks.
|
|
||||||
GCEL7SrcRange = "130.211.0.0/22"
|
|
||||||
|
|
||||||
// Cloud resources created by the ingress controller older than this
|
// Cloud resources created by the ingress controller older than this
|
||||||
// are automatically purged to prevent running out of quota.
|
// are automatically purged to prevent running out of quota.
|
||||||
// TODO(37335): write soak tests and bump this up to a week.
|
// TODO(37335): write soak tests and bump this up to a week.
|
||||||
@@ -982,7 +979,7 @@ func (j *IngressTestJig) ConstructFirewallForIngress(gceController *GCEIngressCo
|
|||||||
|
|
||||||
fw := compute.Firewall{}
|
fw := compute.Firewall{}
|
||||||
fw.Name = gceController.GetFirewallRuleName()
|
fw.Name = gceController.GetFirewallRuleName()
|
||||||
fw.SourceRanges = []string{GCEL7SrcRange}
|
fw.SourceRanges = gcecloud.LoadBalancerSrcRanges()
|
||||||
fw.TargetTags = nodeTags.Items
|
fw.TargetTags = nodeTags.Items
|
||||||
fw.Allowed = []*compute.FirewallAllowed{
|
fw.Allowed = []*compute.FirewallAllowed{
|
||||||
{
|
{
|
||||||
|
Reference in New Issue
Block a user