From 31c82625d6cae5b9cc8fae6f09c9107818dee9b7 Mon Sep 17 00:00:00 2001 From: Lingxian Kong Date: Wed, 20 Feb 2019 16:29:59 +1300 Subject: [PATCH] [k8s-fedora-atomic] Security group definition for worker nodes Defines more strict security group rules for kubernetes worker nodes. The ports that are open by default: default port range(30000-32767) for external service ports; kubelet healthcheck port; Calico BGP network ports; flannel overlay network ports. The cluster admin should manually config the security group on the nodes where Traefik is allowed. Story: #2005082 Task: #29661 Change-Id: Idbc67cb95133d3a4029105e6d4dc92519c816288 --- doc/source/user/index.rst | 13 +++++++++++ .../templates/kubecluster.yaml | 22 +++++++++++++++++++ ...nodes-security-group-9d8dbb91b006d9dd.yaml | 12 ++++++++++ 3 files changed, 47 insertions(+) create mode 100644 releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 63a3cffe04..dd5127316c 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the 'ingress_controller' label. Check the Kubernetes documentation to define your own Ingress resources. +Traefik: +Traefik's pods by default expose port 80 and 443 for http(s) traffic +on the nodes they are running. In kubernetes cluster, these ports are +closed by default. Cluster administrator needs to add a rule in the +worker nodes security group. For example:: + + openstack security group rule create \ + --protocol tcp \ + --dst-port 80:80 + openstack security group rule create \ + --protocol tcp \ + --dst-port 443:443 + _`ingress_controller` This label sets the Ingress Controller to be used. Currently 'traefik' and 'octavia' are supported. The default is '', meaning no Ingress Controller diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index cd3ad8f3f0..e6b62f0d65 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -638,8 +638,30 @@ resources: properties: rules: - protocol: icmp + # Default port range for external service ports. + # In future, if the option `manage-security-groups` for ccm works + # well, we could remove this rule here. + # The PR in ccm is + # https://github.com/kubernetes/cloud-provider-openstack/pull/491 - protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + # Worker node kubelet healthcheck port. + - protocol: tcp + port_range_min: 10250 + port_range_max: 10250 + # Calico BGP network, only required if the BGP backend is used. + - protocol: tcp + port_range_min: 179 + port_range_max: 179 + # flannel overlay network - udp backend. - protocol: udp + port_range_min: 8285 + port_range_max: 8285 + # flannel overlay network - vxlan backend. + - protocol: udp + port_range_min: 8472 + port_range_max: 8472 ###################################################################### # diff --git a/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml b/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml new file mode 100644 index 0000000000..6fcbfb30ac --- /dev/null +++ b/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml @@ -0,0 +1,12 @@ +security: + - | + Defines more strict security group rules for kubernetes worker nodes. The + ports that are open by default: default port range(30000-32767) for + external service ports; kubelet healthcheck port; Calico BGP network ports; + flannel overlay network ports. The cluster admin should manually config the + security group on the nodes where Traefik is allowed. To allow traffic to + the default ports (80, 443) that the traefik ingress controller exposes + users will need to create additional rules or expose traefik with a + kubernetes service with type: LoadBalaner. Finally, the ssh port in worker + nodes is closed as well. If ssh access is required, users will need to + create a rule for port 22 as well.