CORS-4264: Update the GCP provider to allow users to skip firewall actions

barbacbd · barbacbd · commit c1b7342ab7dc · 2025-10-21T09:58:36.000-04:00
cluster:
Update the scripts to include the new variables

providers/gce:

Update the config to include the new `ManageFirewallRules` boolean setting. This
variable will allow users to skip the creation, deletion, and updates to firewall
rules when set to false. Users may not want or have the ability to add the permissions
to perform these actions on their service account. When this is the case the firewall rules
should be pre created and managed by someone with permissions to achieve the same goal.
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
@@ -958,6 +958,14 @@ EOF
     use_cloud_config="true"
     cat <<EOF >>/etc/gce.conf
 regional = ${MULTIMASTER}
+EOF
+  fi
+# UnmanageFirewallRules indicates that the firewall
+# rules should not be managed by the provider.
+  if [[ -n "${UNMANAGEFIREWALLRULES:-}" ]]; then
+    use_cloud_config="true"
+    cat <<EOF >>/etc/gce.conf
+unmanage-firewall-rules = ${UNMANAGEFIREWALLRULES}
 EOF
   fi
   if [[ -n "${GCE_ALPHA_FEATURES:-}" ]]; then
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
@@ -1190,6 +1190,7 @@ KUBE_DOCKER_REGISTRY: $(yaml-quote "${KUBE_DOCKER_REGISTRY:-}")
 KUBE_ADDON_REGISTRY: $(yaml-quote "${KUBE_ADDON_REGISTRY:-}")
 MULTIZONE: $(yaml-quote "${MULTIZONE:-}")
 MULTIMASTER: $(yaml-quote "${MULTIMASTER:-}")
+UNMANAGEFIREWALLRULES: $(yaml-quote "${UNMANAGEFIREWALLRULES:-}")
 NON_MASQUERADE_CIDR: $(yaml-quote "${NON_MASQUERADE_CIDR:-}")
 ENABLE_DEFAULT_STORAGE_CLASS: $(yaml-quote "${ENABLE_DEFAULT_STORAGE_CLASS:-}")
 # (TODO/cloud-provider-gcp): Need to figure out how to inject this
diff --git a/providers/gce/gce.go b/providers/gce/gce.go
@@ -209,6 +209,8 @@ type Cloud struct {
 
 	// enableRBSDefaultForL4NetLB disable Service controller from picking up services by default
 	enableRBSDefaultForL4NetLB bool
+
+	unmanageFirewallRules bool
 }
 
 // ConfigGlobal is the in memory representation of the gce.conf config data
@@ -246,6 +248,11 @@ type ConfigGlobal struct {
 	// Default to none.
 	// For example: MyFeatureFlag
 	AlphaFeatures []string `gcfg:"alpha-features"`
+
+	// UnmanageFirewallRules should be set to true when the provider should not
+	// create, delete, or update firewall rules. For instance, when a user does not have the
+	// permissions to create firewall rules the rule creation should be skipped to avoid errors.
+	UnmanageFirewallRules bool `gcfg:"manage-firewall-rules"`
 }
 
 // ConfigFile is the struct used to parse the /etc/gce.conf configuration file.
@@ -273,13 +280,14 @@ type CloudConfig struct {
 	SubnetworkName       string
 	SubnetworkURL        string
 	// DEPRECATED: Do not rely on this value as it may be incorrect.
-	SecondaryRangeName string
-	NodeTags           []string
-	NodeInstancePrefix string
-	TokenSource        oauth2.TokenSource
-	UseMetadataServer  bool
-	AlphaFeatureGate   *AlphaFeatureGate
-	StackType          string
+	SecondaryRangeName    string
+	NodeTags              []string
+	NodeInstancePrefix    string
+	TokenSource           oauth2.TokenSource
+	UseMetadataServer     bool
+	AlphaFeatureGate      *AlphaFeatureGate
+	StackType             string
+	UnmanageFirewallRules bool
 }
 
 func init() {
@@ -370,6 +378,7 @@ func generateCloudConfig(configFile *ConfigFile) (cloudConfig *CloudConfig, err
 		cloudConfig.NodeTags = configFile.Global.NodeTags
 		cloudConfig.NodeInstancePrefix = configFile.Global.NodeInstancePrefix
 		cloudConfig.AlphaFeatureGate = NewAlphaFeatureGate(configFile.Global.AlphaFeatures)
+		cloudConfig.UnmanageFirewallRules = configFile.Global.UnmanageFirewallRules
 	}
 
 	// retrieve projectID and zone
@@ -573,6 +582,7 @@ func CreateGCECloud(config *CloudConfig) (*Cloud, error) {
 		metricsCollector:         newLoadBalancerMetrics(),
 		projectsBasePath:         getProjectsBasePath(service.BasePath),
 		stackType:                StackType(config.StackType),
+		unmanageFirewallRules:    config.UnmanageFirewallRules,
 	}
 
 	gce.manager = &gceServiceManager{gce}
@@ -784,6 +794,11 @@ func (g *Cloud) IsLegacyNetwork() bool {
 	return g.unsafeIsLegacyNetwork
 }
 
+// UnmanageFirewallRules returns true if the provider is not managing firewall rule creation, deletion, and updates.
+func (g *Cloud) UnmanageFirewallRules() bool {
+	return g.unmanageFirewallRules
+}
+
 // SetInformers sets up the zone handlers we need watching for node changes.
 func (g *Cloud) SetInformers(informerFactory informers.SharedInformerFactory) {
 	klog.Infof("Setting up informers for Cloud")
diff --git a/providers/gce/gce_fake.go b/providers/gce/gce_fake.go
@@ -30,30 +30,32 @@ import (
 
 // TestClusterValues holds the config values for the fake/test gce cloud object.
 type TestClusterValues struct {
-	ProjectID         string
-	Region            string
-	ZoneName          string
-	SecondaryZoneName string
-	ClusterID         string
-	ClusterName       string
-	OnXPN             bool
-	Regional          bool
-	NetworkURL        string
-	SubnetworkURL     string
-	StackType         StackType
+	ProjectID             string
+	Region                string
+	ZoneName              string
+	SecondaryZoneName     string
+	ClusterID             string
+	ClusterName           string
+	OnXPN                 bool
+	Regional              bool
+	NetworkURL            string
+	SubnetworkURL         string
+	StackType             StackType
+	UnmanageFirewallRules bool
 }
 
 // DefaultTestClusterValues Creates a reasonable set of default cluster values
 // for generating a new test fake GCE cloud instance.
 func DefaultTestClusterValues() TestClusterValues {
 	return TestClusterValues{
-		ProjectID:         "test-project",
-		Region:            "us-central1",
-		ZoneName:          "us-central1-b",
-		SecondaryZoneName: "us-central1-c",
-		ClusterID:         "test-cluster-id",
-		ClusterName:       "Test-Cluster-Name",
-		StackType:         clusterStackIPV4,
+		ProjectID:             "test-project",
+		Region:                "us-central1",
+		ZoneName:              "us-central1-b",
+		SecondaryZoneName:     "us-central1-c",
+		ClusterID:             "test-cluster-id",
+		ClusterName:           "Test-Cluster-Name",
+		StackType:             clusterStackIPV4,
+		UnmanageFirewallRules: false,
 	}
 }
 
@@ -75,20 +77,21 @@ func NewFakeGCECloud(vals TestClusterValues) *Cloud {
 		panic(err)
 	}
 	gce := &Cloud{
-		region:              vals.Region,
-		service:             service,
-		managedZones:        []string{vals.ZoneName},
-		localZone:           vals.ZoneName,
-		projectID:           vals.ProjectID,
-		networkProjectID:    vals.ProjectID,
-		ClusterID:           fakeClusterID(vals.ClusterID),
-		onXPN:               vals.OnXPN,
-		metricsCollector:    newLoadBalancerMetrics(),
-		projectsBasePath:    getProjectsBasePath(service.BasePath),
-		regional:            vals.Regional,
-		networkURL:          vals.NetworkURL,
-		unsafeSubnetworkURL: vals.SubnetworkURL,
-		stackType:           vals.StackType,
+		region:                vals.Region,
+		service:               service,
+		managedZones:          []string{vals.ZoneName},
+		localZone:             vals.ZoneName,
+		projectID:             vals.ProjectID,
+		networkProjectID:      vals.ProjectID,
+		ClusterID:             fakeClusterID(vals.ClusterID),
+		onXPN:                 vals.OnXPN,
+		metricsCollector:      newLoadBalancerMetrics(),
+		projectsBasePath:      getProjectsBasePath(service.BasePath),
+		regional:              vals.Regional,
+		networkURL:            vals.NetworkURL,
+		unsafeSubnetworkURL:   vals.SubnetworkURL,
+		stackType:             vals.StackType,
+		unmanageFirewallRules: vals.UnmanageFirewallRules,
 	}
 	c := cloud.NewMockGCE(&gceProjectRouter{gce})
 	gce.c = c
diff --git a/providers/gce/gce_firewall.go b/providers/gce/gce_firewall.go
@@ -32,6 +32,10 @@ func newFirewallMetricContext(request string) *metricContext {
 
 // GetFirewall returns the Firewall by name.
 func (g *Cloud) GetFirewall(name string) (*compute.Firewall, error) {
+	if g.unmanageFirewallRules {
+		return nil, nil
+	}
+
 	ctx, cancel := cloud.ContextWithCallTimeout()
 	defer cancel()
 
@@ -42,6 +46,10 @@ func (g *Cloud) GetFirewall(name string) (*compute.Firewall, error) {
 
 // CreateFirewall creates the passed firewall
 func (g *Cloud) CreateFirewall(f *compute.Firewall) error {
+	if g.unmanageFirewallRules {
+		return nil
+	}
+
 	ctx, cancel := cloud.ContextWithCallTimeout()
 	defer cancel()
 
@@ -51,6 +59,10 @@ func (g *Cloud) CreateFirewall(f *compute.Firewall) error {
 
 // DeleteFirewall deletes the given firewall rule.
 func (g *Cloud) DeleteFirewall(name string) error {
+	if g.unmanageFirewallRules {
+		return nil
+	}
+
 	ctx, cancel := cloud.ContextWithCallTimeout()
 	defer cancel()
 
@@ -60,6 +72,10 @@ func (g *Cloud) DeleteFirewall(name string) error {
 
 // UpdateFirewall applies the given firewall as an update to an existing service.
 func (g *Cloud) UpdateFirewall(f *compute.Firewall) error {
+	if g.unmanageFirewallRules {
+		return nil
+	}
+
 	ctx, cancel := cloud.ContextWithCallTimeout()
 	defer cancel()
 
@@ -69,6 +85,10 @@ func (g *Cloud) UpdateFirewall(f *compute.Firewall) error {
 
 // PatchFirewall applies the given firewall as an update to an existing service.
 func (g *Cloud) PatchFirewall(f *compute.Firewall) error {
+	if g.unmanageFirewallRules {
+		return nil
+	}
+
 	ctx, cancel := cloud.ContextWithCallTimeout()
 	defer cancel()
 
diff --git a/providers/gce/gce_loadbalancer_external.go b/providers/gce/gce_loadbalancer_external.go
@@ -964,6 +964,11 @@ func translateAffinityType(affinityType v1.ServiceAffinity) string {
 }
 
 func (g *Cloud) firewallNeedsUpdate(name, serviceName, ipAddress string, ports []v1.ServicePort, sourceRanges utilnet.IPNetSet) (exists bool, needsUpdate bool, err error) {
+	if g.unmanageFirewallRules {
+		klog.V(2).Infof("firewallNeedsUpdate(%v): firewall rules are unmanaged", name)
+		return false, false, nil
+	}
+
 	fw, err := g.GetFirewall(MakeFirewallName(name))
 	if err != nil {
 		if isHTTPErrorCode(err, http.StatusNotFound) {
@@ -1009,6 +1014,11 @@ func (g *Cloud) firewallNeedsUpdate(name, serviceName, ipAddress string, ports [
 }
 
 func (g *Cloud) ensureHTTPHealthCheckFirewall(svc *v1.Service, serviceName, ipAddress, region, clusterID string, hosts []*gceInstance, hcName string, hcPort int32, isNodesHealthCheck bool) error {
+	if g.unmanageFirewallRules {
+		klog.V(2).Infof("ensureHTTPHealthCheckFirewall(%v): firewall rules are unmanaged", hcName)
+		return nil
+	}
+
 	// Prepare the firewall params for creating / checking.
 	desc := fmt.Sprintf(`{"kubernetes.io/cluster-id":"%s"}`, clusterID)
 	if !isNodesHealthCheck {
@@ -1083,6 +1093,11 @@ func createForwardingRule(s CloudForwardingRuleService, name, serviceName, regio
 }
 
 func (g *Cloud) createFirewall(svc *v1.Service, name, desc, destinationIP string, sourceRanges utilnet.IPNetSet, ports []v1.ServicePort, hosts []*gceInstance) error {
+	if g.unmanageFirewallRules {
+		klog.V(2).Infof("createFirewall(%v): firewall rules are unmanaged", name)
+		return nil
+	}
+
 	firewall, err := g.firewallObject(name, desc, destinationIP, sourceRanges, ports, hosts)
 	if err != nil {
 		return err
diff --git a/providers/gce/gce_loadbalancer_internal.go b/providers/gce/gce_loadbalancer_internal.go
@@ -406,6 +406,10 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
 	}
 
 	deleteFunc := func(fwName string) error {
+		if g.unmanageFirewallRules {
+			klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): firewall rules are unmanaged", fwName)
+			return nil
+		}
 		if err := ignoreNotFound(g.DeleteFirewall(fwName)); err != nil {
 			if isForbidden(err) && g.OnXPN() {
 				klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): could not delete traffic firewall on XPN cluster. Raising event.", loadBalancerName)
@@ -481,6 +485,11 @@ func (g *Cloud) teardownInternalHealthCheckAndFirewall(svc *v1.Service, hcName s
 	}
 	klog.V(2).Infof("teardownInternalHealthCheckAndFirewall(%v): health check deleted", hcName)
 
+	if g.unmanageFirewallRules {
+		klog.V(2).Infof("teardownInternalHealthCheckAndFirewall(%v): unmanaged firewall rules", hcName)
+		return nil
+	}
+
 	hcFirewallName := makeHealthCheckFirewallNameFromHC(hcName)
 	if err := ignoreNotFound(g.DeleteFirewall(hcFirewallName)); err != nil {
 		if isForbidden(err) && g.OnXPN() {
@@ -497,6 +506,11 @@ func (g *Cloud) teardownInternalHealthCheckAndFirewall(svc *v1.Service, hcName s
 
 func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc, destinationIP string, sourceRanges []string, portRanges []string, protocol v1.Protocol, nodes []*v1.Node, legacyFwName string) error {
 	klog.V(2).Infof("ensureInternalFirewall(%v): checking existing firewall", fwName)
+	if g.unmanageFirewallRules {
+		klog.V(2).Infof("ensureInternalFirewall(%v): firewall rules are unmanaged", fwName)
+		return nil
+	}
+
 	targetTags, err := g.GetNodeTags(nodeNames(nodes))
 	if err != nil {
 		return err
