Merge pull request #2349 from neiljerram/default-allow-port-6443

Merge pull request #2336 from neiljerram/default-allow-port-6443
projectcalico · May 26, 2020 · ca5e8bf · ca5e8bf
2 parents 204a0f5 + c27a803
commit ca5e8bf
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 3 deletions.
diff --git a/config/config_params.go b/config/config_params.go
@@ -229,8 +229,8 @@ type Config struct {
 	PrometheusGoMetricsEnabled      bool   `config:"bool;true"`
 	PrometheusProcessMetricsEnabled bool   `config:"bool;true"`
 
-	FailsafeInboundHostPorts  []ProtoPort `config:"port-list;tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:6666,tcp:6667;die-on-fail"`
-	FailsafeOutboundHostPorts []ProtoPort `config:"port-list;udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:6666,tcp:6667;die-on-fail"`
+	FailsafeInboundHostPorts  []ProtoPort `config:"port-list;tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
+	FailsafeOutboundHostPorts []ProtoPort `config:"port-list;udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
 
 	KubeNodePortRanges []numorstring.Port `config:"portrange-list;30000:32767"`
 	NATPortRange       numorstring.Port   `config:"portrange;"`

diff --git a/config/config_params_test.go b/config/config_params_test.go
@@ -353,6 +353,7 @@ var _ = DescribeTable("Config parsing",
 			{Protocol: "tcp", Port: 179},
 			{Protocol: "tcp", Port: 2379},
 			{Protocol: "tcp", Port: 2380},
+			{Protocol: "tcp", Port: 6443},
 			{Protocol: "tcp", Port: 6666},
 			{Protocol: "tcp", Port: 6667},
 		},
@@ -365,6 +366,7 @@ var _ = DescribeTable("Config parsing",
 			{Protocol: "tcp", Port: 179},
 			{Protocol: "tcp", Port: 2379},
 			{Protocol: "tcp", Port: 2380},
+			{Protocol: "tcp", Port: 6443},
 			{Protocol: "tcp", Port: 6666},
 			{Protocol: "tcp", Port: 6667},
 		},
@@ -381,6 +383,7 @@ var _ = DescribeTable("Config parsing",
 			{Protocol: "tcp", Port: 179},
 			{Protocol: "tcp", Port: 2379},
 			{Protocol: "tcp", Port: 2380},
+			{Protocol: "tcp", Port: 6443},
 			{Protocol: "tcp", Port: 6666},
 			{Protocol: "tcp", Port: 6667},
 		},
@@ -392,6 +395,7 @@ var _ = DescribeTable("Config parsing",
 			{Protocol: "tcp", Port: 179},
 			{Protocol: "tcp", Port: 2379},
 			{Protocol: "tcp", Port: 2380},
+			{Protocol: "tcp", Port: 6443},
 			{Protocol: "tcp", Port: 6666},
 			{Protocol: "tcp", Port: 6667},
 		},

diff --git a/fv/connectivity/conncheck.go b/fv/connectivity/conncheck.go
@@ -523,7 +523,7 @@ type CheckCmd struct {
 	recvLen int
 }
 
-// BinaryName is the name of the binry that the connectivity Check() executes
+// BinaryName is the name of the binary that the connectivity Check() executes
 const BinaryName = "test-connection"
 
 // Run executes the check command

diff --git a/fv/hostendpoints_test.go b/fv/hostendpoints_test.go
@@ -126,6 +126,11 @@ func describeHostEndpointTests(getInfra infrastructure.InfraFactory, allInterfac
 		cc.ExpectNone(felixes[0], w[1])
 		cc.ExpectNone(felixes[1], w[0])
 	}
+	expectConnectivityToAPIServer := func() {
+		ip := connectivity.TargetIP(infra.(*infrastructure.K8sDatastoreInfra).EndpointIP)
+		cc.ExpectSome(felixes[0], ip, 6443)
+		cc.ExpectSome(felixes[1], ip, 6443)
+	}
 
 	Context("with no policies and no profiles on the host endpoints", func() {
 		BeforeEach(func() {
@@ -153,6 +158,11 @@ func describeHostEndpointTests(getInfra infrastructure.InfraFactory, allInterfac
 			}
 		})
 
+		It("should allow connectivity from nodes to the Kubernetes API server", func() {
+			expectConnectivityToAPIServer()
+			cc.CheckConnectivity()
+		})
+
 		It("should block all traffic except pod-to-pod and host-to-own-pod traffic", func() {
 			expectDenyHostToHostTraffic()
 			expectDenyHostToOtherPodTraffic()

diff --git a/fv/infrastructure/infra_k8s.go b/fv/infrastructure/infra_k8s.go
@@ -57,6 +57,7 @@ type K8sDatastoreInfra struct {
 	K8sClient    *kubernetes.Clientset
 
 	Endpoint    string
+	EndpointIP  string
 	BadEndpoint string
 
 	CertFileName string
@@ -267,6 +268,7 @@ func setupK8sDatastoreInfra() (*K8sDatastoreInfra, error) {
 		return nil, err
 	}
 
+	kds.EndpointIP = kds.k8sApiContainer.IP
 	kds.Endpoint = fmt.Sprintf("https://%s:6443", kds.k8sApiContainer.IP)
 	kds.BadEndpoint = fmt.Sprintf("https://%s:1234", kds.k8sApiContainer.IP)
 

diff --git a/fv/test-connection/test-connection.go b/fv/test-connection/test-connection.go
@@ -315,6 +315,13 @@ func tryConnect(remoteIPAddr, remotePort, sourceIPAddr, sourcePort, protocol str
 		_ = tc.Close()
 	}()
 
+	if remotePort == "6443" {
+		// Testing for connectivity to the Kubernetes API server.  If we reach here, we're
+		// good.  Skip sending and receiving any data, as that would need TLS.
+		connectivity.Result{}.PrintToStdout()
+		return nil
+	}
+
 	if loopFile != "" {
 		return tc.tryLoopFile(loopFile)
 	}