[fedora atomic] Allow traffic between k8s workers
When using calico as network driver, the traffic between k8s worker nodes need to be allowed otherwise services maybe not accessible sometimes because connection can't be established. This issue only impacts calico. Task: 30525 Story: 2005294 Change-Id: Ia71283a1abc75a7fb806f2601ac09a685dc5a4bc
This commit is contained in:
parent
4722a64f5e
commit
ecd074484f
|
@ -665,22 +665,6 @@ resources:
|
|||
- protocol: tcp
|
||||
port_range_min: 30000
|
||||
port_range_max: 32767
|
||||
# Worker node kubelet healthcheck port.
|
||||
- protocol: tcp
|
||||
port_range_min: 10250
|
||||
port_range_max: 10250
|
||||
# Calico BGP network, only required if the BGP backend is used.
|
||||
- protocol: tcp
|
||||
port_range_min: 179
|
||||
port_range_max: 179
|
||||
# flannel overlay network - udp backend.
|
||||
- protocol: udp
|
||||
port_range_min: 8285
|
||||
port_range_max: 8285
|
||||
# flannel overlay network - vxlan backend.
|
||||
- protocol: udp
|
||||
port_range_min: 8472
|
||||
port_range_max: 8472
|
||||
# allow any traffic from master nodes
|
||||
- protocol: tcp
|
||||
port_range_min: 1
|
||||
|
@ -693,6 +677,24 @@ resources:
|
|||
remote_mode: 'remote_group_id'
|
||||
remote_group_id: {get_resource: secgroup_kube_master}
|
||||
|
||||
# allow any traffic between worker nodes
|
||||
secgroup_rule_tcp_kube_minion:
|
||||
type: OS::Neutron::SecurityGroupRule
|
||||
properties:
|
||||
protocol: tcp
|
||||
port_range_min: 1
|
||||
port_range_max: 65535
|
||||
security_group: {get_resource: secgroup_kube_minion}
|
||||
remote_group: {get_resource: secgroup_kube_minion}
|
||||
secgroup_rule_udp_kube_minion:
|
||||
type: OS::Neutron::SecurityGroupRule
|
||||
properties:
|
||||
protocol: udp
|
||||
port_range_min: 1
|
||||
port_range_max: 65535
|
||||
security_group: {get_resource: secgroup_kube_minion}
|
||||
remote_group: {get_resource: secgroup_kube_minion}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# resources that expose the IPs of either the kube master or a given
|
||||
|
|
Loading…
Reference in New Issue