kubernikus
kubernikus copied to clipboard
Published
20 hours ago •
sapcc
sapcc
Improve lifecycle management of cluster security group
The flight controller is ensuring a couple of entries to the security group that is configured for the cluster.
At the moment the controller reconciles:
- the cluster security group is assigned to every cluster node
- that the ingress for the cluster CIDR is allowed within the security group (is this even necessary?)
We are not reconciling certain assumptions that we probably should in the future to avoid support load.
- egress
- ntp
- dns
- docker hub (maybe not needed anymore)
- regional keppel + swift (for kubelet, kube-proxy, wormhole, dns)
- swift eu-de-1 (rkt download)
Two open questions:
- Do we really need the cluster CIDR security group? I'm not sure its required as I believe that cloud controller manager also configures the pod CIDR ranges on the instance port as "allowed address pairs": https://github.com/kubernetes/cloud-provider-openstack/blob/9b8de65448e7872ac4e83c7342e498127155253b/pkg/openstack/routes.go#L332 If that works reliable we may not need the security group rule to get pod to pod communication working
- What is with communication settings for the loadbalancer <-> backend? Can we ensure a rule there as well to make it work? There is also a "manage security groups" option in the cloud controller manager that we don't use atm.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}