Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GLBC] Update firewall source ranges if outdated #574

Merged
merged 3 commits into from
Apr 11, 2017
Merged

[GLBC] Update firewall source ranges if outdated #574

merged 3 commits into from
Apr 11, 2017

Conversation

nicksardo
Copy link
Contributor

@nicksardo nicksardo commented Apr 7, 2017
edited
Loading

Addresses the second half of #197
Final task for that issue would be to consume the firewall rules from the GCE cloudprovider. Currently waiting on a PR over there...

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 7, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@nicksardo nicksardo added backend/gce and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 7, 2017
@coveralls
Copy link

Coverage Status

Coverage increased (+0.7%) to 44.957% when pulling daffef1 on nicksardo:firewall-check-ranges into 7c635a8 on kubernetes:master.

@nicksardo nicksardo added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 7, 2017
@coveralls
Copy link

Coverage Status

Coverage increased (+0.8%) to 44.976% when pulling 5679831 on nicksardo:firewall-check-ranges into 7c635a8 on kubernetes:master.

@nicksardo
Copy link
Contributor Author

@aledbf You're welcome to review any PR of mine even if I assign it to others.

bowei
bowei reviewed Apr 11, 2017
View reviewed changes
Copy link
Member

@bowei bowei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, mostly minor things

controllers/gce/firewalls/firewalls.go Outdated
existingCIDRs := sets.NewString(rule.SourceRanges...)

// Do not update if ports and source cidrs are not outdated.
// NOTE: We are not checking if nodeNames matches the firwall targetTags
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sp. firwall

controllers/gce/firewalls/firewalls.go Outdated

// Do not update if ports and source cidrs are not outdated.
// NOTE: We are not checking if nodeNames matches the firwall targetTags
if requiredPorts.Equal(existingPorts) && requiredCIDRs.Equal(existingCIDRs) {
return nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

glog.V(4).Infof("No changes...

controllers/gce/firewalls/firewalls.go Outdated
return nil
}

glog.V(3).Infof("Firewall rule %v already exists, updating nodeports %v", name, nodePorts)
return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames)
}

// Shutdown shuts down this firewall rules manager.
func (fr *FirewallRules) Shutdown() error {
glog.Infof("Deleting firewall rule with suffix %v", fr.namer.FrSuffix())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[minor] technically multiple rule(s)?

controllers/gce/firewalls/firewalls_test.go
@@ -0,0 +1,93 @@
package firewalls
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

copyright

controllers/gce/firewalls/firewalls_test.go Outdated
}
verifyFirewallRule(fwp, ruleName, nodePorts, nodes, l7SrcRanges, t)

all := "0.0.0.0/0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const

@coveralls
Copy link

Coverage Status

Coverage increased (+2.07%) to 46.28% when pulling 49b780b on nicksardo:firewall-check-ranges into 7c635a8 on kubernetes:master.

@nicksardo nicksardo merged commit 987540f into kubernetes:master Apr 11, 2017
@nicksardo nicksardo deleted the firewall-check-ranges branch April 11, 2017 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bowei bowei bowei left review comments

Assignees

@bowei bowei

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nicksardo @k8s-reviewable @coveralls @bowei @k8s-ci-robot