Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename ILB FirewallRules to be consistent with other resource names. #84622

Merged
merged 2 commits into from
Nov 7, 2019
Merged

Rename ILB FirewallRules to be consistent with other resource names. #84622

merged 2 commits into from
Nov 7, 2019

Conversation

prameshj
Copy link
Contributor

@prameshj prameshj commented Oct 31, 2019
edited by justaugustus
Loading

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR changes ILB firewall names to contain the "k8s-fw-" prefix like the rest of the firewall rules. This is needed for consistency and also for other components to identify the firewall rule as k8s/service-controller managed.
Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Change GCP ILB firewall names to contain the "k8s-fw-" prefix like the rest of the firewall rules. This is needed for consistency and also for other components to identify the firewall rule as k8s/service-controller managed.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 31, 2019
@prameshj
Copy link
Contributor Author

/assign @MrHohn

@k8s-ci-robot k8s-ci-robot added area/cloudprovider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 31, 2019
@prameshj
Copy link
Contributor Author

cc @grayluck @bowei @freehan

MrHohn
MrHohn reviewed Oct 31, 2019
View reviewed changes
Copy link
Member

@MrHohn MrHohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall and left some comments.

staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Show resolved Hide resolved
staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Outdated
@@ -248,7 +248,17 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
return err
}

klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting firewall for traffic", loadBalancerName)
fwName := MakeFirewallName(loadBalancerName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder would it matter if we share firewall name between external/internal LB. Since we only check for existence on the rule during ensurance, would there be a chance that the firewall for the external one isn't deleted and we mistakenly think that is for the internal one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering the same.. even if we share the same prefix, we wouldn't share the same rule, since the loadbalancerName is a unique id? If that collided, it is an issue for all the other resources - backend service, forwarding rule etc?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was under the impression that the loadbalancerName would be the same if it is for the same service:
https://github.com/kubernetes/kubernetes/blob/d1d663096ba9180bb295b40b6b20f8ceb0e11ddc/staging/src/k8s.io/cloud-provider/cloud.go#L82-L91

But good point that this is already an issue for forwarding rule (not for backend service because ELB uses target pool). I just realize we in fact check whether firewall rule is equal, so this should be fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct. the name will be the same if it is for the same service. But we can only have either ILB or externalLB at a time for a service, so this should be ok. to your second point, that's correct - externalLB uses target pool.

staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Show resolved Hide resolved
@prameshj
Copy link
Contributor Author

prameshj commented Nov 1, 2019

/assign @freehan @MrHohn

MrHohn
MrHohn approved these changes Nov 1, 2019
View reviewed changes
Copy link
Member

@MrHohn MrHohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but will let Minhan take a look as well :)
/approve

staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Outdated
@@ -248,7 +248,17 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
return err
}

klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting firewall for traffic", loadBalancerName)
fwName := MakeFirewallName(loadBalancerName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was under the impression that the loadbalancerName would be the same if it is for the same service:
https://github.com/kubernetes/kubernetes/blob/d1d663096ba9180bb295b40b6b20f8ceb0e11ddc/staging/src/k8s.io/cloud-provider/cloud.go#L82-L91

But good point that this is already an issue for forwarding rule (not for backend service because ELB uses target pool). I just realize we in fact check whether firewall rule is equal, so this should be fine.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrHohn, prameshj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2019
bowei
bowei reviewed Nov 5, 2019
View reviewed changes
staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Outdated
@@ -328,6 +338,29 @@ func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc string, s
if err != nil && !isNotFound(err) {
return err
}
// TODO Remove legacyFwName logic after 3 releases, so there would have been atleast 2 master upgrades that would
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO needs issue number for tracking

TODO(12345): xxxxxxxxxx

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@prameshj prameshj mentioned this pull request Nov 5, 2019
Open
@prameshj
Copy link
Contributor Author

prameshj commented Nov 6, 2019

/kind bug
/priority-important-soon

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Nov 6, 2019
freehan
freehan reviewed Nov 7, 2019
View reviewed changes
Copy link
Contributor

@freehan freehan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

just one nit.

staging/src/k8s.io/legacy-cloud-providers/gce/gce_loadbalancer_internal.go Outdated
@@ -248,7 +248,17 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
return err
}

klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting firewall for traffic", loadBalancerName)
fwName := MakeFirewallName(loadBalancerName)
klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting firewall %s for traffic", fwName, loadBalancerName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just nit:
consider this?

deleteFunc := func(fwName string) {
           
      if err := ignoreNotFound(g.DeleteFirewall(fwName)); err != nil {
		if isForbidden(err) && g.OnXPN() {
			klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): could not delete traffic firewall on XPN cluster. Raising event.", fwName)
			g.raiseFirewallChangeNeededEvent(svc, FirewallToGCloudDeleteCmd(loadBalancerName, g.NetworkProjectID()))
		} else {
			return err
		}
	}
}

klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting firewall %s for traffic", fwName, loadBalancerName)
deleteFunc(fwName)
klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting legacy name firewall for traffic", loadBalancerName)
deleteFunc(loadBalancerName)

@prameshj
Create ILB firewall name with prefix "k8s-fw".
0d0d7ec 
ExternalLB and the healthcheck firewall rules follow this naming
convention.
addressed review comments.
@prameshj
Added new test, fixed existing tests.
a52125c
@freehan
Copy link
Contributor

freehan commented Nov 7, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2019
@prameshj
Copy link
Contributor Author

prameshj commented Nov 7, 2019

/priority-important-soon

@prameshj
Copy link
Contributor Author

prameshj commented Nov 7, 2019

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 7, 2019
@k8s-ci-robot k8s-ci-robot merged commit 303de85 into kubernetes:master Nov 7, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Nov 7, 2019
This was referenced Nov 11, 2019
Merged
Closed
Closed
Closed
Merged
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 24, 2019
k8s-ci-robot added a commit that referenced this pull request Nov 24, 2019
@k8s-ci-robot
Merge pull request #85102 from prameshj/automated-cherry-pick-of-#846…
53755d6 
…22-upstream-release-1.16

Automated cherry pick of #84622: Create ILB firewall name with prefix "k8s-fw".
k8s-ci-robot added a commit that referenced this pull request Dec 6, 2019
@k8s-ci-robot
Merge pull request #85245 from prameshj/automated-cherry-pick-of-#846…
388f59d 
…22-upstream-release-1.15

Automated cherry pick of #84622: Create ILB firewall name with prefix "k8s-fw".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bowei bowei bowei left review comments

@freehan freehan freehan left review comments

@MrHohn MrHohn MrHohn approved these changes

@dims dims Awaiting requested review from dims

@mcrute mcrute Awaiting requested review from mcrute

Assignees

@freehan freehan

@MrHohn MrHohn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.
5 participants
@prameshj @k8s-ci-robot @freehan @bowei @MrHohn