Browse Source

[k8s-fedora-atomic] Security group definition for worker nodes

Defines more strict security group rules for kubernetes worker nodes. The
ports that are open by default: default port range(30000-32767) for
external service ports; kubelet healthcheck port; Calico BGP network ports;
flannel overlay network ports. The cluster admin should manually config the
security group on the nodes where Traefik is allowed.

Story: #2005082
Task: #29661
Change-Id: Idbc67cb95133d3a4029105e6d4dc92519c816288
changes/69/638069/10
Lingxian Kong 2 years ago
parent
commit
31c82625d6
  1. 13
      doc/source/user/index.rst
  2. 22
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
  3. 12
      releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml

13
doc/source/user/index.rst

@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the
'ingress_controller' label. Check the Kubernetes documentation to define
your own Ingress resources.
Traefik:
Traefik's pods by default expose port 80 and 443 for http(s) traffic
on the nodes they are running. In kubernetes cluster, these ports are
closed by default. Cluster administrator needs to add a rule in the
worker nodes security group. For example::
openstack security group rule create <SECURITY_GROUP> \
--protocol tcp \
--dst-port 80:80
openstack security group rule create <SECURITY_GROUP> \
--protocol tcp \
--dst-port 443:443
_`ingress_controller`
This label sets the Ingress Controller to be used. Currently 'traefik' and
'octavia' are supported. The default is '', meaning no Ingress Controller

22
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@ -638,8 +638,30 @@ resources:
properties:
rules:
- protocol: icmp
# Default port range for external service ports.
# In future, if the option `manage-security-groups` for ccm works
# well, we could remove this rule here.
# The PR in ccm is
# https://github.com/kubernetes/cloud-provider-openstack/pull/491
- protocol: tcp
port_range_min: 30000
port_range_max: 32767
# Worker node kubelet healthcheck port.
- protocol: tcp
port_range_min: 10250
port_range_max: 10250
# Calico BGP network, only required if the BGP backend is used.
- protocol: tcp
port_range_min: 179
port_range_max: 179
# flannel overlay network - udp backend.
- protocol: udp
port_range_min: 8285
port_range_max: 8285
# flannel overlay network - vxlan backend.
- protocol: udp
port_range_min: 8472
port_range_max: 8472
######################################################################
#

12
releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml

@ -0,0 +1,12 @@
security:
- |
Defines more strict security group rules for kubernetes worker nodes. The
ports that are open by default: default port range(30000-32767) for
external service ports; kubelet healthcheck port; Calico BGP network ports;
flannel overlay network ports. The cluster admin should manually config the
security group on the nodes where Traefik is allowed. To allow traffic to
the default ports (80, 443) that the traefik ingress controller exposes
users will need to create additional rules or expose traefik with a
kubernetes service with type: LoadBalaner. Finally, the ssh port in worker
nodes is closed as well. If ssh access is required, users will need to
create a rule for port 22 as well.
Loading…
Cancel
Save