Open etcd port only when Calico uses "etcd" datastore

kubernetes · Oct 9, 2020 · d0349fd · d0349fd
1 parent f49b194
commit d0349fd
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 7 deletions.
diff --git a/nodeup/pkg/model/networking/calico.go b/nodeup/pkg/model/networking/calico.go
@@ -39,7 +39,7 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// @check if tls is enabled and if so, we need to download the client certificates
-	if !b.UseEtcdManager() && b.UseEtcdTLS() {
+	if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() {
 		name := "calico-client"
 		dirname := "calico"
 		ca := filepath.Join(dirname, "ca.pem")

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -674,6 +674,12 @@ func (c *Cluster) IsKubernetesGTE(version string) bool {
 	return clusterVersion.GTE(*parsedVersion)
 }
 
+// IsKubernetesLT checks if the version is < the specified version.
+// It panics if the kubernetes version in the cluster is invalid, or if the version is invalid.
+func (c *Cluster) IsKubernetesLT(version string) bool {
+	return !c.IsKubernetesGTE(version)
+}
+
 // EnvVar represents an environment variable present in a Container.
 type EnvVar struct {
 	// Name of the environment variable. Must be a C_IDENTIFIER.

diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go
@@ -250,10 +250,12 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 	}
 
 	if b.Cluster.Spec.Networking.Calico != nil {
-		// Calico needs to access etcd
-		// TODO: Remove, replace with etcd in calico manifest
-		klog.Warningf("Opening etcd port on masters for access from the nodes, for calico.  This is unsafe in untrusted environments.")
-		tcpBlocked[4001] = false
+		if b.IsKubernetesLT("1.12") {
+			// Calico needs to access etcd
+			// TODO: Remove, replace with etcd in calico manifest
+			klog.Warningf("Opening etcd port on masters for access from the nodes, for calico.  This is unsafe in untrusted environments.")
+			tcpBlocked[4001] = false
+		}
 		protocols = append(protocols, ProtocolIPIP)
 	}
 

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -570,7 +570,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error) {
 				}
 
 				// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
-				if networkingSpec.Calico != nil {
+				if cluster.IsKubernetesLT("1.12") && networkingSpec.Calico != nil {
 					calicoClientCert := false
 					for _, x := range cluster.Spec.EtcdClusters {
 						if x.Provider == kops.EtcdProviderTypeManager {

diff --git a/pkg/model/pki.go b/pkg/model/pki.go
@@ -129,7 +129,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		})
 
 		// @check if calico is enabled as the CNI provider
-		if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
+		if b.IsKubernetesLT("1.12") && b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
 			c.AddTask(&fitasks.Keypair{
 				Name:      fi.String("calico-client"),
 				Lifecycle: b.Lifecycle,