ELB Integration failing when Cluster installed via Terraform #243
Comments
It looks like this is a similar problem to kubernetes/kubernetes#26787. The master and workers all have two security groups that are tagged Perhaps the cluster default security group should not be tagged with KubernetesCluster=?? A fix, assuming it's the right thing to do, would be to patch security-groups.tf so that the KubernetesCluster tag is not added. Further analysis shows that PR 218 added these tags to the file linked above, but probably shouldn't have added the KubernetesCluster tag in there also. I'm unable to add PR's to this project at this time (work reasons), if someone can create a patch for that file, I believe it would fix this particular issue. |
We are going to reorganize the security groups to explicitly open ports as needed. We'll keep this aspect in mind when implementing #248 and there should not be any other work necessary to fix this issue once that is complete. |
Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes coreos#248, coreos#243
Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes coreos#248, coreos#243, coreos#227
#264 fixes this by assigning at most one security group for workers/masters. |
* modules/aws: tighten security groups Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes #248, #243, #227 * Documentation/generic-platform: change flannel port to 4789 ... because that one is configured and recommended since it is the IANA based one. Tools like tcpdump then decode vxlan packets natively. The old port (8472) is retained as the default port in the kernel for backwards compatibility purposes only, see [1]. Other projects also switched to the new IANA assigned port. [1] http://lxr.free-electrons.com/source/drivers/net/vxlan.c#L43
resolved by #264 |
Exposing a service of type='LoadBalancer' fails to provision the ELB in AWS.
Controller Logs shows the following:
The text was updated successfully, but these errors were encountered: