public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Properly overwrite empty allowed source ranges for load balancers (#392) 

* Properly overwrite empty allowed source ranges for load balancers
This commit is contained in:
zerg-junior 2018-11-06 11:08:45 +01:00 committed by GitHub
parent ccaee94a35
commit 96e3ea9511
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/administrator.md
View File

@ -198,7 +198,9 @@ services to an outer network, one can attach load balancers to them by setting
cluster manifest. In the case any of these variables are omitted from the cluster manifest. In the case any of these variables are omitted from the
manifest, the operator configmap's settings `enable_master_load_balancer` and manifest, the operator configmap's settings `enable_master_load_balancer` and
`enable_replica_load_balancer` apply. Note that the operator settings affect `enable_replica_load_balancer` apply. Note that the operator settings affect
all Postgresql services running in a namespace watched by the operator. all Postgresql services running in all namespaces watched by the operator.
To limit the range of IP adresses that can reach a load balancer, specify desired ranges in the `allowedSourceRanges` field (applies to both master and replica LBs). To prevent exposing LBs to the entire Internet, this field is set at cluster creation time to `127.0.0.1/32` unless overwritten explicitly. If you want to revoke all IP ranges from an existing cluster, please set the `allowedSourceRanges` field to `127.0.0.1/32` or to the empty sequence `[]`. Setting the field to `null` or omitting entirely may lead to k8s removing this field from the manifest due to [the k8s handling of null fields](https://kubernetes.io/docs/concepts/overview/object-management-kubectl/declarative-config/#how-apply-calculates-differences-and-merges-changes). Then the resultant manifest will not have the necessary change, and the operator will respectively do noting with the existing source ranges.
## Running periodic 'autorepair' scans of Kubernetes objects ## Running periodic 'autorepair' scans of Kubernetes objects

15
pkg/cluster/k8sres.go
View File

@ -962,16 +962,17 @@ func (c *Cluster) generateService(role PostgresRole, spec *acidv1.PostgresSpec)
if c.shouldCreateLoadBalancerForService(role, spec) { if c.shouldCreateLoadBalancerForService(role, spec) {
// safe default value: lock load balancer to only local address unless overridden explicitly. // spec.AllowedSourceRanges evaluates to the empty slice of zero length
sourceRanges := []string{localHost} // when omitted or set to 'null'/empty sequence in the PG manifest
if len(spec.AllowedSourceRanges) > 0 {
allowedSourceRanges := spec.AllowedSourceRanges serviceSpec.LoadBalancerSourceRanges = spec.AllowedSourceRanges
if len(allowedSourceRanges) >= 0 { } else {
sourceRanges = allowedSourceRanges // safe default value: lock a load balancer only to the local address unless overridden explicitly
serviceSpec.LoadBalancerSourceRanges = []string{localHost}
} }
c.logger.Debugf("final load balancer source ranges as seen in a service spec (not necessarily applied): %q", serviceSpec.LoadBalancerSourceRanges)
serviceSpec.Type = v1.ServiceTypeLoadBalancer serviceSpec.Type = v1.ServiceTypeLoadBalancer
serviceSpec.LoadBalancerSourceRanges = sourceRanges
annotations = map[string]string{ annotations = map[string]string{
constants.ZalandoDNSNameAnnotation: dnsName, constants.ZalandoDNSNameAnnotation: dnsName,