Update the GCP provider to allow users to skip firewall actions #911
Conversation
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If the repository mantainers determine this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @barbacbd. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
|
Unknown CLA label state. Rechecking for CLA labels. Send feedback to sig-contributor-experience at kubernetes/community. /check-cla |
k8s-ci-robot
added
the
cncf-cla: yes
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
barbacbd
changed the title
|
/assign |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: barbacbd The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
|
||
| func (g *Cloud) createFirewall(svc *v1.Service, name, desc, destinationIP string, sourceRanges utilnet.IPNetSet, ports []v1.ServicePort, hosts []*gceInstance) error { | ||
| if g.firewallRulesManagement == firewallRulesManagementDisabled { | ||
| klog.V(2).Infof("createFirewall(%v): firewall rules are unmanaged", name) |
There was a problem hiding this comment.
I think it would be helpful to include the event in this case, like we do below in the XPN case:
g.raiseFirewallChangeNeededEvent(svc, FirewallToGCloudCreateCmd(firewall, g.NetworkProjectID()))
…ules cluster: Update the scripts to include the new variables providers/gce: Update the config to include the new `FirewallRulesManagement` string that can be set to Enabled or Disabled. This variable will allow users to skip the creation, deletion, and updates to firewall rules when set to Disabled. Users may not want or have the ability to add the permissions to perform these actions on their service account. When this is the case the firewall rules should be pre created and managed by someone with permissions to achieve the same goal.
k8s-ci-robot
removed
the
lgtm
|
/lgtm New event change makes sense to me |
k8s-ci-robot
added
the
lgtm
|
@bowei Can you please take another look and approve or comment on this PR? Thank you. |
|
/assign @swetharepakula @mmamczur Please take a look at this PR -- it will add a field to |
|
why not use just a flag for the binary so that you can configure your deployment that way? it looks like when unset this will maintain the old behavior so it should work fine for existing configurations and gke |
@mmamczur like these flags? cloud-provider-gcp/cmd/cloud-controller-manager/main.go Lines 84 to 87 in 25e7d16 Based on those, it's not clear to me when we would choose a flag vs the cloud config. Personally, I would not expose an API for this but make the behavior default, like it is on XPN. So we could just remove the cloud-provider-gcp/providers/gce/gce_loadbalancer_internal.go Lines 410 to 413 in 25e7d16 |
|
I thought generally as a community Kubernetes was moving away from long lists of flag options to config file options with structure and versionability. Certainly this aligns with other additions of late to cloud providers as a config file option over a flag. Certainly with my SIG Cloud and API reviewer hats on, I think config file is the correct choice for a switch on behaviour here over a flag |
this was an intent that never materialized, kube-apiserver uses flags, kubelet moved to config but still has a lot of complex combinations between flags and configs and kube-proxy is in a similar limbo than kubelet, with a considerable use of flags vs config, kube-controller-manager is flag based IIRC , no idea about kube-scheduler and kube-controller-manager but my anecdotical experience is I only see them configured via flags |
|
in that case the config file is ok. I don't know the history behind this but writing this file sounds like a lot of hassle vs just providing flags in the manifest |
|
Does it make sense to expose an API and make this functionality configurable? This functionality is already enabled by default on XPN; making non-XPN consistent with XPN would reduce the complexity managed in code. Here's my understanding of what this PR and adding the API enables:
If we remove the API and make non-XPN consistent with XPN, the behavior becomes:
There's something to be said for capturing user intent, but the only difference AFAICT in how we act on that intent is whether the provider throws an error in a specific case. |
12 participants
cluster:
Update the scripts to include the new variables
providers/gce:
Update the config to include the new
ManageFirewallRulesboolean setting. This variable will allow users to skip the creation, deletion, and updates to firewall rules when set to false. Users may not want or have the ability to add the permissions to perform these actions on their service account. When this is the case the firewall rules should be pre created and managed by someone with permissions to achieve the same goal.