From 2bbfd52abccc491e3e021d5b2269c3c8136d17d4 Mon Sep 17 00:00:00 2001 From: Lingxian Kong Date: Mon, 25 Feb 2019 14:23:24 +1300 Subject: [PATCH] [k8s-fedora-atomic] Use ClusterIP for prometheus service The NodePort type service, by design, bypasses almost all network security in Kubernetes, so is not recommended to be used in the cloud enviroment. This patch changes the prometheus service type from NodePort to ClusterIP. Story: #2005098 Task: #29712 Change-Id: Ic47a334bcf81afb87a78a5e66db1a988b473a47e --- .../kubernetes/fragments/enable-prometheus-monitoring.sh | 6 ++---- .../notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml | 7 +++++++ 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh index 633ee8fbaa..69db973ec7 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh @@ -197,12 +197,11 @@ metadata: spec: selector: app: prometheus - type: NodePort + type: ClusterIP ports: - name: prometheus protocol: TCP port: 9090 - nodePort: 30900 --- apiVersion: extensions/v1beta1 kind: Deployment @@ -307,11 +306,10 @@ metadata: name: grafana namespace: prometheus-monitoring spec: - type: "NodePort" + type: ClusterIP ports: - port: 3000 targetPort: 3000 - nodePort: 30603 selector: grafana: "true" --- diff --git a/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml b/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml new file mode 100644 index 0000000000..dd122e9ee1 --- /dev/null +++ b/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Use ClusterIP as the default Prometheus service type, because the NodePort + type service has the requirement that extra security group rule is properly + configured. Kubernetes cluster administrator could still change the service + type after the cluster creation.