New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support of specifying service tags for Azure cloud provider #61467

Merged
merged 2 commits into from Mar 27, 2018

Conversation

Projects
None yet
5 participants
@feiskyer
Member

feiskyer commented Mar 21, 2018

What this PR does / why we need it:

This PR adds support of specifying service tags for Azure cloud provider by annotation service.beta.kubernetes.io/azure-allowed-service-tags.

Refer https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags for more information about this feature.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #57914

Special notes for your reviewer:

Release note:

Azure cloud provider now supports specifying allowed service tags by annotation `service.beta.kubernetes.io/azure-allowed-service-tags`

@k8s-ci-robot k8s-ci-robot requested review from andyzhangx and jdumars Mar 21, 2018

@feiskyer feiskyer requested review from brendandburns and removed request for jdumars and andyzhangx Mar 21, 2018

@feiskyer feiskyer requested a review from andyzhangx Mar 21, 2018

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 21, 2018

cc @djsly

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 21, 2018

/retest

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 21, 2018

/sig azure

// supportedServiceTags holds a list of supported service tags on Azure.
// Refer https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags for more information.
supportedServiceTags = sets.NewString("VirtualNetwork", "VIRTUAL_NETWORK", "AzureLoadBalancer", "AZURE_LOADBALANCER",
"Internet", "INTERNET", "AzureTrafficManager", "Storage", "Sql")

This comment has been minimized.

@djsly

djsly Mar 21, 2018

Contributor

AzureTrafficManager, Storage and Sql are still not available in all azure clouds (e.g Germany). If the user would use one of those 3 serviceTag, where would they be provided the error message ?

This comment has been minimized.

@feiskyer

This comment has been minimized.

@djsly

djsly Mar 22, 2018

Contributor

Thanks, I guess since it is GA it is fine to keep them listed, I was jsut wondering what will happen on Clouds that do not yet support them. (e.g. Germany -- see below)
screen shot 2018-03-22 at 07 43 30

This comment has been minimized.

@feiskyer

feiskyer Mar 23, 2018

Member

Azure ARM call will report errors on such case, and users could find the error message in service events (e.g. by kubectl describe service)

This comment has been minimized.

@djsly

djsly Mar 23, 2018

Contributor

thanks 👍

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 22, 2018

Pushed a new commit which allows service tags with region ( e.g. Storage.EastUS). @djsly @andyzhangx PTAL

@djsly

This comment has been minimized.

Contributor

djsly commented Mar 22, 2018

/test pull-kubernetes-e2e-gce

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 26, 2018

ping @andyzhangx PTAL

var sourceAddressPrefixes []string
if sourceRanges == nil || serviceapi.IsAllowAll(sourceRanges) {
if (sourceRanges == nil || serviceapi.IsAllowAll(sourceRanges)) && len(serviceTags) == 0 {

This comment has been minimized.

@andyzhangx

andyzhangx Mar 26, 2018

Member

is there any possiblity that sourceRanges != nil and len(serviceTags) == 0 ?

This comment has been minimized.

@feiskyer

feiskyer Mar 26, 2018

Member

Yep, this is expected to do actions in else block

@andyzhangx

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Mar 26, 2018

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Mar 26, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, feiskyer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Mar 26, 2018

/test all

Tests are more than 96 hours old. Re-running tests.

@feiskyer

This comment has been minimized.

Member

feiskyer commented Mar 26, 2018

/retest

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Mar 27, 2018

Automatic merge from submit-queue (batch tested with PRs 61434, 61501, 59609, 61467, 61531). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit 408588a into kubernetes:master Mar 27, 2018

14 checks passed

Submit Queue Queued to run github e2e tests a second time.
Details
cla/linuxfoundation feiskyer authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

@feiskyer feiskyer deleted the feiskyer:azure-service-tags branch Mar 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment