Merge pull request #479 from matthewg/master

Add 35.191.0.0/16 range to GCE firewalls

controllers/gce/README.md

@@ -649,12 +649,12 @@ If you hit that it means the controller isn't even starting. Re-check your input
 A default GKE/GCE cluster needs at least 1 firewall rule for GLBC to function. The Ingress controller should create this for you automatically. You can also create it thus:
 ```console
 $ gcloud compute firewall-rules create allow-130-211-0-0-22 \
-  --source-ranges 130.211.0.0/22 \
+  --source-ranges 130.211.0.0/22,35.191.0.0/16 \
   --target-tags $TAG \
   --allow tcp:$NODE_PORT
 ```
 
-Where `130.211.0.0/22` is the source range of the GCE L7, `$NODE_PORT` is the node port your Service is exposed on, i.e:
+Where `130.211.0.0/22` and `35.191.0.0/16` are the source ranges of the GCE L7, `$NODE_PORT` is the node port your Service is exposed on, i.e:
 ```console
 $ kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services ${SERVICE_NAME}
 ```

controllers/gce/firewalls/firewalls.go

@@ -26,25 +26,25 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 )
 
-// Src range from which the GCE L7 performs health checks.
-const l7SrcRange = "130.211.0.0/22"
+// Src ranges from which the GCE L7 performs health checks.
+var l7SrcRanges = []string{"130.211.0.0/22", "35.191.0.0/16"}
 
 // FirewallRules manages firewall rules.
 type FirewallRules struct {
-	cloud    Firewall
-	namer    *utils.Namer
-	srcRange netset.IPNet
+	cloud     Firewall
+	namer     *utils.Namer
+	srcRanges netset.IPNet
 }
 
 // NewFirewallPool creates a new firewall rule manager.
 // cloud: the cloud object implementing Firewall.
 // namer: cluster namer.
 func NewFirewallPool(cloud Firewall, namer *utils.Namer) SingleFirewallPool {
-	srcNetSet, err := netset.ParseIPNets(l7SrcRange)
+	srcNetSet, err := netset.ParseIPNets(l7SrcRanges...)
 	if err != nil {
-		glog.Fatalf("Could not parse L7 src range %v for firewall rule: %v", l7SrcRange, err)
+		glog.Fatalf("Could not parse L7 src ranges %v for firewall rule: %v", l7SrcRanges, err)
 	}
-	return &FirewallRules{cloud: cloud, namer: namer, srcRange: srcNetSet}
+	return &FirewallRules{cloud: cloud, namer: namer, srcRanges: srcNetSet}
 }
 
 // Sync sync firewall rules with the cloud.
@@ -60,7 +60,7 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error {
 	rule, _ := fr.cloud.GetFirewall(name)
 	if rule == nil {
 		glog.Infof("Creating global l7 firewall rule %v", name)
-		return fr.cloud.CreateFirewall(suffix, "GCE L7 firewall rule", fr.srcRange, nodePorts, nodeNames)
+		return fr.cloud.CreateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames)
 	}
 
 	requiredPorts := sets.NewString()
@@ -77,7 +77,7 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error {
 		return nil
 	}
 	glog.V(3).Infof("Firewall rule %v already exists, updating nodeports %v", name, nodePorts)
-	return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall rule", fr.srcRange, nodePorts, nodeNames)
+	return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames)
 }
 
 // Shutdown shuts down this firewall rules manager.

docs/faq/gce.md

@@ -72,7 +72,7 @@ In addition to this pipeline:
   Service
 * Each port on the Backend Service has a matching port on the Instance Group
 * Each port on the Backend Service is exposed through a firewall-rule open
-  to the GCE LB IP range (`130.211.0.0/22`)
+  to the GCE LB IP ranges (`130.211.0.0/22` and `35.191.0.0/16`)
 
 ## The Ingress controller events complain about quota, how do I increase it?