diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 63a3cffe04..dd5127316c 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the 'ingress_controller' label. Check the Kubernetes documentation to define your own Ingress resources. +Traefik: +Traefik's pods by default expose port 80 and 443 for http(s) traffic +on the nodes they are running. In kubernetes cluster, these ports are +closed by default. Cluster administrator needs to add a rule in the +worker nodes security group. For example:: + + openstack security group rule create \ + --protocol tcp \ + --dst-port 80:80 + openstack security group rule create \ + --protocol tcp \ + --dst-port 443:443 + _`ingress_controller` This label sets the Ingress Controller to be used. Currently 'traefik' and 'octavia' are supported. The default is '', meaning no Ingress Controller diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 66a1bac424..ba23f3edc2 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -638,8 +638,30 @@ resources: properties: rules: - protocol: icmp + # Default port range for external service ports. + # In future, if the option `manage-security-groups` for ccm works + # well, we could remove this rule here. + # The PR in ccm is + # https://github.com/kubernetes/cloud-provider-openstack/pull/491 - protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + # Worker node kubelet healthcheck port. + - protocol: tcp + port_range_min: 10250 + port_range_max: 10250 + # Calico BGP network, only required if the BGP backend is used. + - protocol: tcp + port_range_min: 179 + port_range_max: 179 + # flannel overlay network - udp backend. - protocol: udp + port_range_min: 8285 + port_range_max: 8285 + # flannel overlay network - vxlan backend. + - protocol: udp + port_range_min: 8472 + port_range_max: 8472 ###################################################################### # diff --git a/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml b/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml new file mode 100644 index 0000000000..6fcbfb30ac --- /dev/null +++ b/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml @@ -0,0 +1,12 @@ +security: + - | + Defines more strict security group rules for kubernetes worker nodes. The + ports that are open by default: default port range(30000-32767) for + external service ports; kubelet healthcheck port; Calico BGP network ports; + flannel overlay network ports. The cluster admin should manually config the + security group on the nodes where Traefik is allowed. To allow traffic to + the default ports (80, 443) that the traefik ingress controller exposes + users will need to create additional rules or expose traefik with a + kubernetes service with type: LoadBalaner. Finally, the ssh port in worker + nodes is closed as well. If ssh access is required, users will need to + create a rule for port 22 as well.