Browse Source

[k8s-fedora-atomic] Use ClusterIP for prometheus service

The NodePort type service, by design, bypasses almost all network
security in Kubernetes, so is not recommended to be used in the cloud
enviroment.

This patch changes the prometheus service type from NodePort to ClusterIP.

Story: #2005098
Task: #29712

Change-Id: Ic47a334bcf81afb87a78a5e66db1a988b473a47e
changes/01/639001/4
Lingxian Kong 2 years ago
parent
commit
2bbfd52abc
  1. 6
      magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
  2. 7
      releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml

6
magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh

@ -197,12 +197,11 @@ metadata:
spec:
selector:
app: prometheus
type: NodePort
type: ClusterIP
ports:
- name: prometheus
protocol: TCP
port: 9090
nodePort: 30900
---
apiVersion: extensions/v1beta1
kind: Deployment
@ -307,11 +306,10 @@ metadata:
name: grafana
namespace: prometheus-monitoring
spec:
type: "NodePort"
type: ClusterIP
ports:
- port: 3000
targetPort: 3000
nodePort: 30603
selector:
grafana: "true"
---

7
releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml

@ -0,0 +1,7 @@
---
features:
- |
Use ClusterIP as the default Prometheus service type, because the NodePort
type service has the requirement that extra security group rule is properly
configured. Kubernetes cluster administrator could still change the service
type after the cluster creation.
Loading…
Cancel
Save