Fix load-balancer firewall messages

docs/services-firewalls.md

@@ -29,6 +29,10 @@ well as any provider specific details that may be necessary.
 
 
 ### Google Compute Engine
+When using a Service with `spec.type: LoadBalancer`, the firewall will be
+opened automatically.  When using `spec.type: NodePort`, however, the firewall
+is *not* opened by default.
+
 Google Compute Engine firewalls are documented [elsewhere](https://cloud.google.com/compute/docs/networking#firewalls_1).
 
 You can add a firewall with the ```gcloud``` command line tool:
@@ -40,18 +44,27 @@ gcloud compute firewall-rules create my-rule --allow=tcp:<port>
 **Note**
 There is one important security note when using firewalls on Google Compute Engine:
 
-Firewalls are defined per-vm, rather than per-ip address.  This means that if you open a firewall for that service's ports,
+as of kubernmetes v1.0.0, GCE firewalls are defined per-vm, rather than per-ip
-anything that serves on that port on that VM's host IP address may potentially serve traffic.
+address.  This means that when you open a firewall for a service's ports,
-
+anything that serves on that port on that VM's host IP address may potentially
-Note that this is not a problem for other Kubernetes services, as they listen on IP addresses that are different than the
+serve traffic.  Note that this is not a problem for other Kubernetes services,
-host node's external IP address.
+as they listen on IP addresses that are different than the host node's external
+IP address.
 
 Consider:
-   * You create a Service with an external load balancer (IP Address 1.2.3.4) and port 80
+   * You create a Service with an external load balancer (IP Address 1.2.3.4)
-   * You open the firewall for port 80 for all nodes in your cluster, so that the external Service actually can deliver packets to your Service
+     and port 80
-   * You start an nginx server, running on port 80 on the host virtual machine (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on the VM's external IP address.
+   * You open the firewall for port 80 for all nodes in your cluster, so that
+     the external Service actually can deliver packets to your Service
+   * You start an nginx server, running on port 80 on the host virtual machine
+     (IP Address 2.3.4.5).  This nginx is **also** exposed to the internet on
+     the VM's external IP address.
 
-Consequently, please be careful when opening firewalls in Google Compute Engine or Google Container Engine.  You may accidentally be exposing other services to the wilds of the internet.
+Consequently, please be careful when opening firewalls in Google Compute Engine
+or Google Container Engine.  You may accidentally be exposing other services to
+the wilds of the internet.
+
+This will be fixed in an upcoming release of Kubernetes.
 
 ### Other cloud providers
 Coming soon.

docs/user-guide/connecting-applications.md

@@ -226,12 +226,11 @@ spec:
   selector:
     app: nginx
 ```
-You should see a similar message informing you about firewall rules on port 80:
+
 ```shell
 $ kubectl delete svc nginxsvc
 $ kubectl create -f nginxsvc.yaml
-An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
+services/nginxsvc
-you will also need to explicitly open a Firewall rule for the service port(s) (tcp:80) to serve traffic.
 
 $ kubectl get service nginxsvc -o json | grep \"ip\"
 "ip": "104.197.37.222"

examples/guestbook-go/README.md

@@ -201,9 +201,6 @@ Just like the others, we create a service to group the guestbook pods but this t
 1. Use the [guestbook-service.json](guestbook-service.json) file to create the guestbook service by running the `kubectl create -f` *`filename`* command:
     ```shell
     $ kubectl create -f examples/guestbook-go/guestbook-service.json
-		  An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
-          you will also need to explicitly open a Firewall rule for the service port(s) (tcp:3000) to serve traffic.
-          See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewall.md for more details.
     ```
 
 
@@ -231,14 +228,6 @@ You can now play with the guestbook that you just created by opening it in a bro
 
     2. Append port `3000` to the IP address (for example `http://146.148.81.8:3000`), and then navigate to that address in your browser.
 
-    **Remember:** You might need to open the firewall for port `3000`. 
-    If you're using Google Compute Engine, you can use the [Developers Console][cloud-console] or the `gcloud` CLI to open port `3000`. 
-
-    To use the `gcloud` CLI, you can run the following command to allow traffic from any source to instances tagged `kubernetes-minion`:
-    ```shell
-    $ gcloud compute firewall-rules create --allow=tcp:3000 --target-tags=kubernetes-minion kubernetes-minion-3000
-    ```
-
     Result: The guestbook displays in your browser:
 
     ![Guestbook](guestbook-page.png)

pkg/kubectl/cmd/create.go

@@ -121,23 +121,15 @@ func RunCreate(f *cmdutil.Factory, out io.Writer, filenames util.StringList) err
 func printObjectSpecificMessage(obj runtime.Object, out io.Writer) {
 	switch obj := obj.(type) {
 	case *api.Service:
-		if obj.Spec.Type == api.ServiceTypeLoadBalancer {
-			msg := fmt.Sprintf(`
-			An external load-balanced service was created.  On many platforms (e.g. Google Compute Engine),
-			you will also need to explicitly open a Firewall rule for the service port(s) (%s) to serve traffic.
-
-			See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
-			`, makePortsString(obj.Spec.Ports, false))
-			out.Write([]byte(msg))
-		}
 		if obj.Spec.Type == api.ServiceTypeNodePort {
-			msg := fmt.Sprintf(`
+			msg := fmt.Sprintf(
-				You have exposed your service on an external port on all nodes in your cluster.
+				`You have exposed your service on an external port on all nodes in your
-				If you want to expose this service to the external internet, you may need to set up
+cluster.  If you want to expose this service to the external internet, you may
-				firewall rules for the service port(s) (%s) to serve traffic.
+need to set up firewall rules for the service port(s) (%s) to serve traffic.
 
-				See https://github.com/GoogleCloudPlatform/kubernetes/tree/master/docs/services-firewalls.md for more details.
+See http://releases.k8s.io/HEAD/docs/services-firewalls.md for more details.
-				`, makePortsString(obj.Spec.Ports, true))
+`,
+				makePortsString(obj.Spec.Ports, true))
 			out.Write([]byte(msg))
 		}
 	}

pkg/kubectl/cmd/create_test.go

@@ -147,7 +147,7 @@ func TestPrintObjectSpecificMessage(t *testing.T) {
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeLoadBalancer}},
-			expectOutput: true,
+			expectOutput: false,
 		},
 		{
 			obj:          &api.Service{Spec: api.ServiceSpec{Type: api.ServiceTypeNodePort}},