Merge pull request #15611 from justinsb/gce_lb_firewall

gce: Set firewall rules for Internal LBs also
kubernetes · Jul 10, 2023 · 4ad116e · 4ad116e
2 parents 65fe676 + 3613f58
commit 4ad116e
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 6 deletions.
diff --git a/pkg/model/gcemodel/api_loadbalancer.go b/pkg/model/gcemodel/api_loadbalancer.go
@@ -38,7 +38,7 @@ var _ fi.CloudupModelBuilder = &APILoadBalancerBuilder{}
 
 // createPublicLB validates the existence of a target pool with the given name,
 // and creates an IP address and forwarding rule pointing to that target pool.
-func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error {
+func (b *APILoadBalancerBuilder) createPublicLB(c *fi.CloudupModelBuilderContext) error {
 	healthCheck := &gcetasks.HTTPHealthcheck{
 		Name:        s(b.NameForHealthcheck("api")),
 		Port:        i64(wellknownports.KubeAPIServerHealthCheck),
@@ -89,6 +89,10 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
 		})
 	}
 
+	return b.addFirewallRules(c)
+}
+
+func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderContext) error {
 	// Allow traffic into the API from KubernetesAPIAccess CIDRs
 	{
 		network, err := b.LinkToNetwork()
@@ -132,7 +136,7 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
 // createInternalLB creates an internal load balancer for the cluster.  In
 // GCP this entails creating a health check, backend service, and one forwarding rule
 // per specified subnet pointing to that backend service.
-func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error {
+func (b *APILoadBalancerBuilder) createInternalLB(c *fi.CloudupModelBuilderContext) error {
 	hc := &gcetasks.HealthCheck{
 		Name:      s(b.NameForHealthCheck("api")),
 		Port:      wellknownports.KubeAPIServer,
@@ -215,8 +219,7 @@ func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContex
 			})
 		}
 	}
-
-	return nil
+	return b.addFirewallRules(c)
 }
 
 func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
@@ -232,10 +235,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 
 	switch lbSpec.Type {
 	case kops.LoadBalancerTypePublic:
-		return createPublicLB(b, c)
+		return b.createPublicLB(c)
 
 	case kops.LoadBalancerTypeInternal:
-		return createInternalLB(b, c)
+		return b.createInternalLB(c)
 
 	default:
 		return fmt.Errorf("unhandled LoadBalancer type %q", lbSpec.Type)

diff --git a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
@@ -211,6 +211,54 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-example-com" {
   zone = "us-test1-a"
 }
 
+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "kops-controller-ipv6-minimal-gce-example-com" {
+  allow {
+    ports    = ["3988"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "kops-controller-ipv6-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "kops-controller-minimal-gce-example-com" {
+  allow {
+    ports    = ["3988"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "kops-controller-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" {
   allow {
     protocol = "tcp"

diff --git a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
@@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-ilb-example-com" {
   zone = "us-test1-a"
 }
 
+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-ilb-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-ilb-example-com"
+  network       = google_compute_network.minimal-gce-ilb-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-ilb-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-ilb-example-com"
+  network       = google_compute_network.minimal-gce-ilb-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com" {
   allow {
     protocol = "tcp"

diff --git a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
@@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-with-a-very-very-very-ve
   zone = "us-test1-a"
 }
 
+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi"
+  network       = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi"
+  network       = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi" {
   allow {
     protocol = "tcp"