public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Properly overwrite empty allowed source ranges for load balancers

This commit is contained in:
Sergey Dudoladov 2018-09-21 10:21:23 +02:00
parent 688d252752
commit 41c0c547a5
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/administrator.md
View File

@ -198,7 +198,9 @@ services to an outer network, one can attach load balancers to them by setting
cluster manifest. In the case any of these variables are omitted from the cluster manifest. In the case any of these variables are omitted from the
manifest, the operator configmap's settings `enable_master_load_balancer` and manifest, the operator configmap's settings `enable_master_load_balancer` and
`enable_replica_load_balancer` apply. Note that the operator settings affect `enable_replica_load_balancer` apply. Note that the operator settings affect
all Postgresql services running in a namespace watched by the operator. all Postgresql services running in all namespaces watched by the operator.
To limit the range of IP adresses that can reach a load balancer, speficy the desired ranges in the `allowedSourceRanges` field (applies to both master and replica LBs). To prevent exposing LBs to the entire Internet, this field is set by default to `127.0.0.1/32`. To return to this default, explicitly set the field to the empty sequence `[]`; setting it to `null` or omitting entirely may not work due to [k8s handling of null fields](https://kubernetes.io/docs/concepts/overview/object-management-kubectl/declarative-config/#how-apply-calculates-differences-and-merges-changes).
## Running periodic 'autorepair' scans of Kubernetes objects ## Running periodic 'autorepair' scans of Kubernetes objects

8
pkg/cluster/k8sres.go
View File

@ -961,13 +961,15 @@ func (c *Cluster) generateService(role PostgresRole, spec *acidv1.PostgresSpec)
// safe default value: lock load balancer to only local address unless overridden explicitly. // safe default value: lock load balancer to only local address unless overridden explicitly.
sourceRanges := []string{localHost} sourceRanges := []string{localHost}
allowedSourceRanges := spec.AllowedSourceRanges // spec.AllowedSourceRanges evaluates to the empty slice of zero length
if len(allowedSourceRanges) >= 0 { // when omitted or set to 'null'/empty sequence in the PG manifest
sourceRanges = allowedSourceRanges if len(spec.AllowedSourceRanges) > 0 {
sourceRanges = spec.AllowedSourceRanges
} }
serviceSpec.Type = v1.ServiceTypeLoadBalancer serviceSpec.Type = v1.ServiceTypeLoadBalancer
serviceSpec.LoadBalancerSourceRanges = sourceRanges serviceSpec.LoadBalancerSourceRanges = sourceRanges
c.logger.Debugf("final load balancer source ranges as seen in a service spec (not necessarily applied): %q", serviceSpec.LoadBalancerSourceRanges)
annotations = map[string]string{ annotations = map[string]string{
constants.ZalandoDNSNameAnnotation: dnsName, constants.ZalandoDNSNameAnnotation: dnsName,