Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loadBalancerSourceRanges does not work on GKE #29997

Closed
gedimin45 opened this issue Aug 3, 2016 · 6 comments · Fixed by #30486
Closed

loadBalancerSourceRanges does not work on GKE #29997

gedimin45 opened this issue Aug 3, 2016 · 6 comments · Fixed by #30486
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network.

Comments

@gedimin45
Copy link

Hello!

I am running a cluster on GKE (k8s version 1.3.3) and have the following service definition:

apiVersion: v1
kind: Service
metadata:
  name: frontend
  labels:
    app: api
    tier: frontend
spec:
  type: LoadBalancer
  loadBalancerIP: <a static IP>
  loadBalancerSourceRanges:
  - 10.0.0.0/8
  ports:
  - name: https
    port: 443
  - name: http
    port: 80
  selector:
    app: api
    tier: frontend

When I apply this configuration, the source IP range in the created firewall rule is still 0.0.0.0/0. Am I missing something? The loadBalancerIP seems to be applied correctly every time.
@freehan freehan added sig/network Categorizes an issue or PR as relevant to SIG Network. and removed area/apiserver labels Aug 4, 2016
@freehan
Copy link
Contributor

freehan commented Aug 4, 2016
edited
Loading

I just tried it on GKE. It works for me. Here is how I do it:

  1. Create a regional static IP.
  2. Create loadbalancer service with the ip and loadBalancerSourceRanges

Anything I missed?

@freehan
Copy link
Contributor

freehan commented Aug 4, 2016

For the firewall rule of 0.0.0.0/0, is it formatted like k8s-fw-${Name of the Loadbalancer}?

@gedimin45
Copy link
Author

@freehan the IP is set correctly, it's the source IP range that is being ignored.
I have been told on Slack, that this feature still does not work on GKE. Is that true? If so, is there a plan to enable it? :)

@freehan
Copy link
Contributor

freehan commented Aug 5, 2016

@Ged15 The source IP ranges works as expected on my GKE cluster.

I wonder if this is related to GKE upgrades, because my cluster is a brand new one.

@freehan
Copy link
Contributor

freehan commented Aug 5, 2016

Can you confirm the following?
For the 0.0.0.0/0 rule, does its name look like k8s-fw-${Name of the Loadbalancer}? Does ${Name of the Loadbalancer} matches the service loadbalancer name?

@freehan
Copy link
Contributor

freehan commented Aug 5, 2016

Okay. I think I understand the problem now. Will apply a fix soon.

@freehan freehan added the kind/bug Categorizes issue or PR as related to a bug. label Aug 5, 2016
@freehan freehan mentioned this issue Aug 12, 2016
Merged
k8s-github-robot pushed a commit that referenced this issue Aug 16, 2016
Merge pull request #30486 from freehan/lbsrcfix
d412d57 
Automatic merge from submit-queue

syncNetworkUtil in kubelet and fix loadbalancerSourceRange on GCE

fixes: #29997 #29039

@yujuhong Can you take a look at the kubelet part?

@girishkalele KUBE-MARK-DROP is the chain for dropping connections. Marked connection will be drop  in INPUT/OUTPUT chain of filter table. Let me know if this is good enough for your use case.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

syncNetworkUtil in kubelet and fix loadbalancerSourceRange on GCE freehan/kubernetes
3 participants
@freehan @gedimin45 @k8s-github-robot