gce: configure public SSH rules when using bastions #17697
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
upodroid
changed the title
|
/cc @hakman |
| if err != nil { | ||
| return err | ||
| } | ||
| b.AddFirewallRulesTasks(c, "ssh-external-to-master", &gcetasks.FirewallRule{ |
There was a problem hiding this comment.
So we are creating tasks with the same name in two places, which is normally a sign that we can tweak the if statement to avoid duplication.
But ... I think the same comment as the other PR. This looks like it affects everyone, not just the scalability test. Can we introduce it behind a feature flag or simialr?
There was a problem hiding this comment.
I changed the logic to remove the duplication of rules.
It's fair to assume:
- Spec.SSHAccess has a value and reaching the masters/nodes from that address isn't an issue
- If you are using a bastion and the instances don't have a public IP, the rule sits there doing nothing
upodroid
force-pushed
the
bastion-patch
branch
from
b9712d5 to
7c80564
Compare
k8s-ci-robot
added
size/S
3 participants
Related to #17680
We are using private topology with scale jobs and the control plane instances configured public IP addresses so we cann SSH to the instances. However, we are not applying the public inbound SSH rule because if a bastion is enabled, it assumes you will always connect to the instances using the bastion which is false in clusterloader2 and
ssh-external-to-masterrules are missing.