openstack
/
magnum
Code Issues Proposed changes

[k8s-fedora-atomic] Use ClusterIP for prometheus service 

The NodePort type service, by design, bypasses almost all network
security in Kubernetes, so is not recommended to be used in the cloud
enviroment.

This patch changes the prometheus service type from NodePort to ClusterIP.

Story: #2005098
Task: #29712

Change-Id: Ic47a334bcf81afb87a78a5e66db1a988b473a47e
This commit is contained in:
Lingxian Kong 2019-02-25 14:23:24 +13:00
parent 055384343f
commit 2bbfd52abc
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
View File

@ -197,12 +197,11 @@ metadata:
spec: spec:
selector: selector:
app: prometheus app: prometheus
type: NodePort type: ClusterIP
ports: ports:
- name: prometheus - name: prometheus
protocol: TCP protocol: TCP
port: 9090 port: 9090
nodePort: 30900
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -307,11 +306,10 @@ metadata:
name: grafana name: grafana
namespace: prometheus-monitoring namespace: prometheus-monitoring
spec: spec:
type: "NodePort" type: ClusterIP
ports: ports:
- port: 3000 - port: 3000
targetPort: 3000 targetPort: 3000
nodePort: 30603
selector: selector:
grafana: "true" grafana: "true"
--- ---

7
releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Use ClusterIP as the default Prometheus service type, because the NodePort
type service has the requirement that extra security group rule is properly
configured. Kubernetes cluster administrator could still change the service
type after the cluster creation.