This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 266
use explicit ports in security groups #248
Comments
Essentially use this as the guide: https://github.com/coreos/tectonic-installer/blob/master/Documentation/generic-platform.md |
@aaronlevy does that list still look correct. |
s-urbaniak
pushed a commit
to s-urbaniak/tectonic-installer
that referenced
this issue
Apr 19, 2017
Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes coreos#248, coreos#243
s-urbaniak
pushed a commit
to s-urbaniak/tectonic-installer
that referenced
this issue
Apr 19, 2017
Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes coreos#248, coreos#243, coreos#227
alexsomesan
pushed a commit
that referenced
this issue
Apr 19, 2017
* modules/aws: tighten security groups Currently masters and workers share a pretty open security group. Furthermore workers expose ingress traffic at critical k8s ports like 10250 and 10255. This fixes it by removing the common cluster default security group and specifying separate ingress/egress rules reflecting settings from the current tectonic installer. It also assigns only one security group for masters and workers. Fixes #248, #243, #227 * Documentation/generic-platform: change flannel port to 4789 ... because that one is configured and recommended since it is the IANA based one. Tools like tcpdump then decode vxlan packets natively. The old port (8472) is retained as the default port in the kernel for backwards compatibility purposes only, see [1]. Other projects also switched to the new IANA assigned port. [1] http://lxr.free-electrons.com/source/drivers/net/vxlan.c#L43
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
dont use wildcards
The text was updated successfully, but these errors were encountered: