[k8s-fedora-atomic] Use ClusterIP for prometheus service

The NodePort type service, by design, bypasses almost all network security in Kubernetes, so is not recommended to be used in the cloud enviroment. This patch changes the prometheus service type from NodePort to ClusterIP. Story: #2005098 Task: #29712 Change-Id: Ic47a334bcf81afb87a78a5e66db1a988b473a47e
2019-02-25 14:23:24 +13:00 · 2019-02-25 14:23:24 +13:00 · 2bbfd52abc
commit 2bbfd52abc
parent 055384343f
2 changed files with 9 additions and 4 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
@ -197,12 +197,11 @@ metadata:
 spec:
  selector:
    app: prometheus
-  type: NodePort
+  type: ClusterIP
  ports:
  - name: prometheus
    protocol: TCP
    port: 9090
-    nodePort: 30900
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -307,11 +306,10 @@ metadata:
  name: grafana
  namespace: prometheus-monitoring
 spec:
-  type: "NodePort"
+  type: ClusterIP
  ports:
    - port: 3000
      targetPort: 3000
-      nodePort: 30603
  selector:
    grafana: "true"
 ---
--- a/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml
+++ b/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Use ClusterIP as the default Prometheus service type, because the NodePort
+    type service has the requirement that extra security group rule is properly
+    configured. Kubernetes cluster administrator could still change the service
+    type after the cluster creation.