Load balancer source ranges

pkg/api/service/annotations.go

@@ -0,0 +1,28 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+const (
+	// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+	//
+	// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+	// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+	// access only from the CIDRs currently allocated to MIT & the USPS.
+	//
+	// Not all cloud providers support this annotation, though AWS & GCE do.
+	AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
+)

pkg/api/service/util.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"fmt"
+	"strings"
+
+	netsets "k8s.io/kubernetes/pkg/util/net/sets"
+)
+
+const (
+	defaultLoadBalancerSourceRanges = "0.0.0.0/0"
+)
+
+// IsAllowAll checks whether the netsets.IPNet allows traffic from 0.0.0.0/0
+func IsAllowAll(ipnets netsets.IPNet) bool {
+	for _, s := range ipnets.StringSlice() {
+		if s == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
+}
+
+// GetLoadBalancerSourceRanges verifies and parses the AnnotationLoadBalancerSourceRangesKey annotation from a service,
+// extracting the source ranges to allow, and if not present returns a default (allow-all) value.
+func GetLoadBalancerSourceRanges(annotations map[string]string) (netsets.IPNet, error) {
+	val := annotations[AnnotationLoadBalancerSourceRangesKey]
+	val = strings.TrimSpace(val)
+	if val == "" {
+		val = defaultLoadBalancerSourceRanges
+	}
+	specs := strings.Split(val, ",")
+	ipnets, err := netsets.ParseIPNets(specs...)
+	if err != nil {
+		return nil, fmt.Errorf("Service annotation %s:%s is not valid. Expecting a comma-separated list of source IP ranges. For example, 10.0.0.0/24,192.168.2.0/24", AnnotationLoadBalancerSourceRangesKey, val)
+	}
+	return ipnets, nil
+}

pkg/api/service/util_test.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"testing"
+
+	netsets "k8s.io/kubernetes/pkg/util/net/sets"
+)
+
+func TestGetLoadBalancerSourceRanges(t *testing.T) {
+	checkError := func(v string) {
+		annotations := make(map[string]string)
+		annotations[AnnotationLoadBalancerSourceRangesKey] = v
+		_, err := GetLoadBalancerSourceRanges(annotations)
+		if err == nil {
+			t.Errorf("Expected error parsing: %q", v)
+		}
+	}
+	checkError("10.0.0.1/33")
+	checkError("foo.bar")
+	checkError("10.0.0.1/32,*")
+	checkError("10.0.0.1/32,")
+	checkError("10.0.0.1/32, ")
+	checkError("10.0.0.1")
+
+	checkOK := func(v string) netsets.IPNet {
+		annotations := make(map[string]string)
+		annotations[AnnotationLoadBalancerSourceRangesKey] = v
+		cidrs, err := GetLoadBalancerSourceRanges(annotations)
+		if err != nil {
+			t.Errorf("Unexpected error parsing: %q", v)
+		}
+		return cidrs
+	}
+	cidrs := checkOK("192.168.0.1/32")
+	if len(cidrs) != 1 {
+		t.Errorf("Expected exactly one CIDR: %v", cidrs.StringSlice())
+	}
+	cidrs = checkOK("192.168.0.1/32,192.168.0.1/32")
+	if len(cidrs) != 1 {
+		t.Errorf("Expected exactly one CIDR (after de-dup): %v", cidrs.StringSlice())
+	}
+	cidrs = checkOK("192.168.0.1/32,192.168.0.2/32")
+	if len(cidrs) != 2 {
+		t.Errorf("Expected two CIDRs: %v", cidrs.StringSlice())
+	}
+	cidrs = checkOK("  192.168.0.1/32 , 192.168.0.2/32   ")
+	if len(cidrs) != 2 {
+		t.Errorf("Expected two CIDRs: %v", cidrs.StringSlice())
+	}
+	cidrs = checkOK("")
+	if len(cidrs) != 1 {
+		t.Errorf("Expected exactly one CIDR: %v", cidrs.StringSlice())
+	}
+	if !IsAllowAll(cidrs) {
+		t.Errorf("Expected default to be allow-all: %v", cidrs.StringSlice())
+	}
+}
+
+func TestAllowAll(t *testing.T) {
+	checkAllowAll := func(allowAll bool, cidrs ...string) {
+		ipnets, err := netsets.ParseIPNets(cidrs...)
+		if err != nil {
+			t.Errorf("Unexpected error parsing cidrs: %v", cidrs)
+		}
+		if allowAll != IsAllowAll(ipnets) {
+			t.Errorf("IsAllowAll did not return expected value for %v", cidrs)
+		}
+	}
+	checkAllowAll(false, "10.0.0.1/32")
+	checkAllowAll(false, "10.0.0.1/32", "10.0.0.2/32")
+	checkAllowAll(false, "10.0.0.1/32", "10.0.0.1/32")
+
+	checkAllowAll(true, "0.0.0.0/0")
+	checkAllowAll(true, "192.168.0.0/0")
+	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
+}

pkg/api/validation/validation.go

@@ -29,6 +29,7 @@ import (
 
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/resource"
+	apiservice "k8s.io/kubernetes/pkg/api/service"
 	"k8s.io/kubernetes/pkg/capabilities"
 	"k8s.io/kubernetes/pkg/labels"
 	"k8s.io/kubernetes/pkg/util/intstr"
@@ -1736,6 +1737,12 @@ func ValidateService(service *api.Service) field.ErrorList {
 		nodePorts[key] = true
 	}
 
+	_, err := apiservice.GetLoadBalancerSourceRanges(service.Annotations)
+	if err != nil {
+		v := service.Annotations[apiservice.AnnotationLoadBalancerSourceRangesKey]
+		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(apiservice.AnnotationLoadBalancerSourceRangesKey), v, "must be a comma separated list of CIDRs e.g. 192.168.0.0/16,10.0.0.0/8"))
+	}
+
 	return allErrs
 }
 

pkg/api/validation/validation_test.go

@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/resource"
+	"k8s.io/kubernetes/pkg/api/service"
 	"k8s.io/kubernetes/pkg/api/testapi"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/capabilities"
@@ -2877,6 +2878,34 @@ func TestValidateService(t *testing.T) {
 			},
 			numErrs: 1,
 		},
+		{
+			name: "valid LoadBalancer source range annotation",
+			tweakSvc: func(s *api.Service) {
+				s.Annotations[service.AnnotationLoadBalancerSourceRangesKey] = "1.2.3.4/8,  5.6.7.8/16"
+			},
+			numErrs: 0,
+		},
+		{
+			name: "empty LoadBalancer source range annotation",
+			tweakSvc: func(s *api.Service) {
+				s.Annotations[service.AnnotationLoadBalancerSourceRangesKey] = ""
+			},
+			numErrs: 0,
+		},
+		{
+			name: "invalid LoadBalancer source range annotation (hostname)",
+			tweakSvc: func(s *api.Service) {
+				s.Annotations[service.AnnotationLoadBalancerSourceRangesKey] = "foo.bar"
+			},
+			numErrs: 1,
+		},
+		{
+			name: "invalid LoadBalancer source range annotation (invalid CIDR)",
+			tweakSvc: func(s *api.Service) {
+				s.Annotations[service.AnnotationLoadBalancerSourceRangesKey] = "1.2.3.4/33"
+			},
+			numErrs: 1,
+		},
 	}
 
 	for _, tc := range testCases {

pkg/cloudprovider/cloud.go

@@ -84,7 +84,7 @@ type LoadBalancer interface {
 	// if so, what its status is.
 	GetLoadBalancer(name, region string) (status *api.LoadBalancerStatus, exists bool, err error)
 	// EnsureLoadBalancer creates a new load balancer 'name', or updates the existing one. Returns the status of the balancer
-	EnsureLoadBalancer(name, region string, loadBalancerIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinityType api.ServiceAffinity, annotations ServiceAnnotation) (*api.LoadBalancerStatus, error)
+	EnsureLoadBalancer(name, region string, loadBalancerIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinityType api.ServiceAffinity, annotations map[string]string) (*api.LoadBalancerStatus, error)
 	// UpdateLoadBalancer updates hosts under the specified load balancer.
 	UpdateLoadBalancer(name, region string, hosts []string) error
 	// EnsureLoadBalancerDeleted deletes the specified load balancer if it
@@ -160,10 +160,3 @@ type Zones interface {
 	// GetZone returns the Zone containing the current failure zone and locality region that the program is running in
 	GetZone() (Zone, error)
 }
-
-type ServiceAnnotation map[string]string
-
-func (s ServiceAnnotation) GetValue(key string) (string, bool) {
-	val, ok := s[key]
-	return val, ok
-}

pkg/cloudprovider/providers/aws/aws.go

@@ -47,6 +47,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 
 	"github.com/golang/glog"
+	"k8s.io/kubernetes/pkg/api/service"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 )
 
@@ -1948,7 +1949,7 @@ func isSubnetPublic(rt []*ec2.RouteTable, subnetID string) (bool, error) {
 
 // EnsureLoadBalancer implements LoadBalancer.EnsureLoadBalancer
 // TODO(justinsb) It is weird that these take a region.  I suspect it won't work cross-region anyway.
-func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinity api.ServiceAffinity, annotations cloudprovider.ServiceAnnotation) (*api.LoadBalancerStatus, error) {
+func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinity api.ServiceAffinity, annotations map[string]string) (*api.LoadBalancerStatus, error) {
 	glog.V(2).Infof("EnsureLoadBalancer(%v, %v, %v, %v, %v, %v, %v)", name, region, publicIP, ports, hosts, serviceName, annotations)
 
 	if region != s.region {
@@ -1979,6 +1980,11 @@ func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, port
 		return nil, err
 	}
 
+	sourceRanges, err := service.GetLoadBalancerSourceRanges(annotations)
+	if err != nil {
+		return nil, err
+	}
+
 	vpcId, err := s.findVPCID()
 	if err != nil {
 		glog.Error("Error finding VPC", err)
@@ -2003,16 +2009,20 @@ func (s *AWSCloud) EnsureLoadBalancer(name, region string, publicIP net.IP, port
 			return nil, err
 		}
 
+		ec2SourceRanges := []*ec2.IpRange{}
+		for _, sourceRange := range sourceRanges.StringSlice() {
+			ec2SourceRanges = append(ec2SourceRanges, &ec2.IpRange{CidrIp: aws.String(sourceRange)})
+		}
+
 		permissions := []*ec2.IpPermission{}
 		for _, port := range ports {
 			portInt64 := int64(port.Port)
 			protocol := strings.ToLower(string(port.Protocol))
-			sourceIp := "0.0.0.0/0"
 
 			permission := &ec2.IpPermission{}
 			permission.FromPort = &portInt64
 			permission.ToPort = &portInt64
-			permission.IpRanges = []*ec2.IpRange{{CidrIp: &sourceIp}}
+			permission.IpRanges = ec2SourceRanges
 			permission.IpProtocol = &protocol
 
 			permissions = append(permissions, permission)

pkg/cloudprovider/providers/fake/fake.go

@@ -132,7 +132,7 @@ func (f *FakeCloud) GetLoadBalancer(name, region string) (*api.LoadBalancerStatu
 
 // EnsureLoadBalancer is a test-spy implementation of LoadBalancer.EnsureLoadBalancer.
 // It adds an entry "create" into the internal method call record.
-func (f *FakeCloud) EnsureLoadBalancer(name, region string, externalIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinityType api.ServiceAffinity, annotations cloudprovider.ServiceAnnotation) (*api.LoadBalancerStatus, error) {
+func (f *FakeCloud) EnsureLoadBalancer(name, region string, externalIP net.IP, ports []*api.ServicePort, hosts []string, serviceName types.NamespacedName, affinityType api.ServiceAffinity, annotations map[string]string) (*api.LoadBalancerStatus, error) {
 	f.addCall("create")
 	if f.Balancers == nil {
 		f.Balancers = make(map[string]FakeBalancer)