Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on #1817

Merged

Conversation

GorginZ
Copy link
Contributor

@GorginZ GorginZ commented Dec 14, 2023

GorginZ and others added 28 commits May 12, 2023 08:53
@GorginZ GorginZ requested review from ericyz and a team as code owners December 14, 2023 06:13
@apeabody
Copy link
Collaborator

/gcbrun

@apeabody
Copy link
Collaborator

/gcbrun

@apeabody
Copy link
Collaborator

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-b70466df-s4fn describe gke-autopilot-private-firewalls-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185:  - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":          - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls":         
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 RUN_STAGE env var set to verify
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 Skipping stage teardown
Step #90 - "verify autopilot-private-firewalls": --- FAIL: TestAutopilotPrivateFirewalls (11.34s)

I do see a gke-autopilot-private-firewalls-cluster-intra-cluster-egress firewall

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 15, 2024

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-b70466df-s4fn describe gke-autopilot-private-firewalls-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185:  - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":          - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls":         
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 RUN_STAGE env var set to verify
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 Skipping stage teardown
Step #90 - "verify autopilot-private-firewalls": --- FAIL: TestAutopilotPrivateFirewalls (11.34s)

I do see a gke-autopilot-private-firewalls-cluster-intra-cluster-egress firewall

Ah thanks @apeabody for posting this, lead me to notice my test code was trimming the -cluster suffix from the clusterName, no idea why I did that. Have pushed fix.

@GorginZ GorginZ requested a review from apeabody June 15, 2024 22:40
@apeabody
Copy link
Collaborator

/gcbrun

@apeabody
Copy link
Collaborator

Step #91 - "destroy autopilot-private-firewalls":         	Error:      	Received unexpected error:
Step #91 - "destroy autopilot-private-firewalls":         	            	FatalError{Underlying: error while running command: exit status 1; 
Step #91 - "destroy autopilot-private-firewalls":         	            	Error: Cannot destroy cluster because deletion_protection is set to true. Set it to false to proceed with cluster deletion.
Step #91 - "destroy autopilot-private-firewalls":         	            	}
Step #91 - "destroy autopilot-private-firewalls":         	Test:       	TestAutopilotPrivateFirewalls

GorginZ and others added 2 commits June 18, 2024 08:37
set deletion_protection to false

Co-authored-by: Andrew Peabody <[email protected]>
@GorginZ GorginZ requested a review from apeabody June 17, 2024 22:40
@apeabody
Copy link
Collaborator

/gcbrun

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 19, 2024

@apeabody need anything else from my end?

Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @GorginZ!

@apeabody apeabody merged commit e7b20cd into terraform-google-modules:master Jun 20, 2024
4 checks passed
CPL-markus pushed a commit to WALTER-GROUP/terraform-google-kubernetes-engine that referenced this pull request Jul 15, 2024
…er_network_tag to autopilot cluster network_tags if firewalls are toggled on (terraform-google-modules#1817)

Co-authored-by: Andrew Peabody <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 26, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 26, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 26, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 27, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 27, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Sep 27, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
wyardley added a commit to wyardley/terraform-google-kubernetes-engine that referenced this pull request Oct 9, 2024
While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Firewall rules for Autopilot clusters are ineffective
2 participants