From 04b87d59453273edeeb05f8f6289c39c0aeb8c73 Mon Sep 17 00:00:00 2001 From: Matthew Sachs Date: Wed, 22 Mar 2017 00:18:26 -0700 Subject: [PATCH] Add 35.191.0.0/16 range to GCE firewalls (issue #478) --- controllers/gce/README.md | 4 ++-- controllers/gce/firewalls/firewalls.go | 20 ++++++++++---------- docs/faq/gce.md | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/controllers/gce/README.md b/controllers/gce/README.md index 1dbf3b0e4..aa9684344 100644 --- a/controllers/gce/README.md +++ b/controllers/gce/README.md @@ -649,12 +649,12 @@ If you hit that it means the controller isn't even starting. Re-check your input A default GKE/GCE cluster needs at least 1 firewall rule for GLBC to function. The Ingress controller should create this for you automatically. You can also create it thus: ```console $ gcloud compute firewall-rules create allow-130-211-0-0-22 \ - --source-ranges 130.211.0.0/22 \ + --source-ranges 130.211.0.0/22,35.191.0.0/16 \ --target-tags $TAG \ --allow tcp:$NODE_PORT ``` -Where `130.211.0.0/22` is the source range of the GCE L7, `$NODE_PORT` is the node port your Service is exposed on, i.e: +Where `130.211.0.0/22` and `35.191.0.0/16` are the source ranges of the GCE L7, `$NODE_PORT` is the node port your Service is exposed on, i.e: ```console $ kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services ${SERVICE_NAME} ``` diff --git a/controllers/gce/firewalls/firewalls.go b/controllers/gce/firewalls/firewalls.go index 31bfdacf1..7a4d6603c 100644 --- a/controllers/gce/firewalls/firewalls.go +++ b/controllers/gce/firewalls/firewalls.go @@ -26,25 +26,25 @@ import ( "k8s.io/kubernetes/pkg/util/sets" ) -// Src range from which the GCE L7 performs health checks. -const l7SrcRange = "130.211.0.0/22" +// Src ranges from which the GCE L7 performs health checks. +var l7SrcRanges = []string{"130.211.0.0/22", "35.191.0.0/16"} // FirewallRules manages firewall rules. type FirewallRules struct { - cloud Firewall - namer *utils.Namer - srcRange netset.IPNet + cloud Firewall + namer *utils.Namer + srcRanges netset.IPNet } // NewFirewallPool creates a new firewall rule manager. // cloud: the cloud object implementing Firewall. // namer: cluster namer. func NewFirewallPool(cloud Firewall, namer *utils.Namer) SingleFirewallPool { - srcNetSet, err := netset.ParseIPNets(l7SrcRange) + srcNetSet, err := netset.ParseIPNets(l7SrcRanges...) if err != nil { - glog.Fatalf("Could not parse L7 src range %v for firewall rule: %v", l7SrcRange, err) + glog.Fatalf("Could not parse L7 src ranges %v for firewall rule: %v", l7SrcRanges, err) } - return &FirewallRules{cloud: cloud, namer: namer, srcRange: srcNetSet} + return &FirewallRules{cloud: cloud, namer: namer, srcRanges: srcNetSet} } // Sync sync firewall rules with the cloud. @@ -60,7 +60,7 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error { rule, _ := fr.cloud.GetFirewall(name) if rule == nil { glog.Infof("Creating global l7 firewall rule %v", name) - return fr.cloud.CreateFirewall(suffix, "GCE L7 firewall rule", fr.srcRange, nodePorts, nodeNames) + return fr.cloud.CreateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames) } requiredPorts := sets.NewString() @@ -77,7 +77,7 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error { return nil } glog.V(3).Infof("Firewall rule %v already exists, updating nodeports %v", name, nodePorts) - return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall rule", fr.srcRange, nodePorts, nodeNames) + return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames) } // Shutdown shuts down this firewall rules manager. diff --git a/docs/faq/gce.md b/docs/faq/gce.md index f42afd15d..f8fd5fe73 100644 --- a/docs/faq/gce.md +++ b/docs/faq/gce.md @@ -72,7 +72,7 @@ In addition to this pipeline: Service * Each port on the Backend Service has a matching port on the Instance Group * Each port on the Backend Service is exposed through a firewall-rule open - to the GCE LB IP range (`130.211.0.0/22`) + to the GCE LB IP ranges (`130.211.0.0/22` and `35.191.0.0/16`) ## The Ingress controller events complain about quota, how do I increase it?