Merge "[k8s-fedora-atomic] Security group definition for worker nodes"

2 years ago · d76ab4da80
3 changed files with 47 additions and 0 deletions
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the
 'ingress_controller' label. Check the Kubernetes documentation to define
 your own Ingress resources.

+Traefik:
+Traefik's pods by default expose port 80 and 443 for http(s) traffic
+on the nodes they are running. In kubernetes cluster, these ports are
+closed by default. Cluster administrator needs to add a rule in the
+worker nodes security group. For example::
+
+    openstack security group rule create <SECURITY_GROUP> \
+      --protocol tcp \
+      --dst-port 80:80
+    openstack security group rule create <SECURITY_GROUP> \
+      --protocol tcp \
+      --dst-port 443:443
+
 _`ingress_controller`
  This label sets the Ingress Controller to be used. Currently 'traefik' and
  'octavia' are supported. The default is '', meaning no Ingress Controller
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@ -638,8 +638,30 @@ resources:
    properties:
      rules:
        - protocol: icmp
+        # Default port range for external service ports.
+        # In future, if the option `manage-security-groups` for ccm works
+        # well, we could remove this rule here.
+        # The PR in ccm is
+        # https://github.com/kubernetes/cloud-provider-openstack/pull/491
        - protocol: tcp
+          port_range_min: 30000
+          port_range_max: 32767
+        # Worker node kubelet healthcheck port.
+        - protocol: tcp
+          port_range_min: 10250
+          port_range_max: 10250
+        # Calico BGP network, only required if the BGP backend is used.
+        - protocol: tcp
+          port_range_min: 179
+          port_range_max: 179
+        # flannel overlay network - udp backend.
+        - protocol: udp
+          port_range_min: 8285
+          port_range_max: 8285
+        # flannel overlay network - vxlan backend.
        - protocol: udp
+          port_range_min: 8472
+          port_range_max: 8472

  ######################################################################
  #
--- a/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml
+++ b/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml
@ -0,0 +1,12 @@
+security:
+  - |
+    Defines more strict security group rules for kubernetes worker nodes. The
+    ports that are open by default: default port range(30000-32767) for
+    external service ports; kubelet healthcheck port; Calico BGP network ports;
+    flannel overlay network ports. The cluster admin should manually config the
+    security group on the nodes where Traefik is allowed. To allow traffic to
+    the default ports (80, 443) that the traefik ingress controller exposes
+    users will need to create additional rules or expose traefik with a
+    kubernetes service with type: LoadBalaner. Finally, the ssh port in worker
+    nodes is closed as well. If ssh access is required, users will need to
+    create a rule for port 22 as well.