[k8s-fedora-atomic] Security group definition for worker nodes
Defines more strict security group rules for kubernetes worker nodes. The ports that are open by default: default port range(30000-32767) for external service ports; kubelet healthcheck port; Calico BGP network ports; flannel overlay network ports. The cluster admin should manually config the security group on the nodes where Traefik is allowed. Story: #2005082 Task: #29661 Change-Id: Idbc67cb95133d3a4029105e6d4dc92519c816288
This commit is contained in:
parent
91d84ff01d
commit
31c82625d6
@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the
|
||||
'ingress_controller' label. Check the Kubernetes documentation to define
|
||||
your own Ingress resources.
|
||||
|
||||
Traefik:
|
||||
Traefik's pods by default expose port 80 and 443 for http(s) traffic
|
||||
on the nodes they are running. In kubernetes cluster, these ports are
|
||||
closed by default. Cluster administrator needs to add a rule in the
|
||||
worker nodes security group. For example::
|
||||
|
||||
openstack security group rule create <SECURITY_GROUP> \
|
||||
--protocol tcp \
|
||||
--dst-port 80:80
|
||||
openstack security group rule create <SECURITY_GROUP> \
|
||||
--protocol tcp \
|
||||
--dst-port 443:443
|
||||
|
||||
_`ingress_controller`
|
||||
This label sets the Ingress Controller to be used. Currently 'traefik' and
|
||||
'octavia' are supported. The default is '', meaning no Ingress Controller
|
||||
|
@ -638,8 +638,30 @@ resources:
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
# Default port range for external service ports.
|
||||
# In future, if the option `manage-security-groups` for ccm works
|
||||
# well, we could remove this rule here.
|
||||
# The PR in ccm is
|
||||
# https://github.com/kubernetes/cloud-provider-openstack/pull/491
|
||||
- protocol: tcp
|
||||
port_range_min: 30000
|
||||
port_range_max: 32767
|
||||
# Worker node kubelet healthcheck port.
|
||||
- protocol: tcp
|
||||
port_range_min: 10250
|
||||
port_range_max: 10250
|
||||
# Calico BGP network, only required if the BGP backend is used.
|
||||
- protocol: tcp
|
||||
port_range_min: 179
|
||||
port_range_max: 179
|
||||
# flannel overlay network - udp backend.
|
||||
- protocol: udp
|
||||
port_range_min: 8285
|
||||
port_range_max: 8285
|
||||
# flannel overlay network - vxlan backend.
|
||||
- protocol: udp
|
||||
port_range_min: 8472
|
||||
port_range_max: 8472
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -0,0 +1,12 @@
|
||||
security:
|
||||
- |
|
||||
Defines more strict security group rules for kubernetes worker nodes. The
|
||||
ports that are open by default: default port range(30000-32767) for
|
||||
external service ports; kubelet healthcheck port; Calico BGP network ports;
|
||||
flannel overlay network ports. The cluster admin should manually config the
|
||||
security group on the nodes where Traefik is allowed. To allow traffic to
|
||||
the default ports (80, 443) that the traefik ingress controller exposes
|
||||
users will need to create additional rules or expose traefik with a
|
||||
kubernetes service with type: LoadBalaner. Finally, the ssh port in worker
|
||||
nodes is closed as well. If ssh access is required, users will need to
|
||||
create a rule for port 22 as well.
|
Loading…
Reference in New Issue
Block a user