[fedora atomic] Allow traffic between k8s workers

When using calico as network driver, the traffic between k8s worker nodes need to be allowed otherwise services maybe not accessible sometimes because connection can't be established. This issue only impacts calico. Task: 30525 Story: 2005294 Change-Id: Ia71283a1abc75a7fb806f2601ac09a685dc5a4bc
2019-04-16 19:23:35 +12:00 · 2019-04-16 19:23:35 +12:00 · ecd074484f
parent 4722a64f5e
commit ecd074484f
1 changed files with 18 additions and 16 deletions
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@ -665,22 +665,6 @@ resources:
        - protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
-        # Worker node kubelet healthcheck port.
-        - protocol: tcp
-          port_range_min: 10250
-          port_range_max: 10250
-        # Calico BGP network, only required if the BGP backend is used.
-        - protocol: tcp
-          port_range_min: 179
-          port_range_max: 179
-        # flannel overlay network - udp backend.
-        - protocol: udp
-          port_range_min: 8285
-          port_range_max: 8285
-        # flannel overlay network - vxlan backend.
-        - protocol: udp
-          port_range_min: 8472
-          port_range_max: 8472
        # allow any traffic from master nodes
        - protocol: tcp
          port_range_min: 1
@ -693,6 +677,24 @@ resources:
          remote_mode: 'remote_group_id'
          remote_group_id: {get_resource: secgroup_kube_master}

+  # allow any traffic between worker nodes
+  secgroup_rule_tcp_kube_minion:
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: tcp
+      port_range_min: 1
+      port_range_max: 65535
+      security_group: {get_resource: secgroup_kube_minion}
+      remote_group: {get_resource: secgroup_kube_minion}
+  secgroup_rule_udp_kube_minion:
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: udp
+      port_range_min: 1
+      port_range_max: 65535
+      security_group: {get_resource: secgroup_kube_minion}
+      remote_group: {get_resource: secgroup_kube_minion}
+
  ######################################################################
  #
  # resources that expose the IPs of either the kube master or a given