Bug 1794839: data/azure: Use a single network security group for Azure clusters #3561
Conversation
|
/approve |
openshift-ci-robot
added
the
approved
|
/test e2e-azure |
The Kubernetes service load balancer programs a cluster specific Azure NSG automatically to expose service load balancers. OpenShift requires all nodes to be able to host service load balancer workloads and so the simplest configuration is to have a single network security group for the whole cluster. This does require exposing port 6443 on all nodes, but in practice this does not reduce security because we cannot rely on network security within the cluster to protect workloads. As a result of this change, a 3 node compact Azure cluster can be grown to have a worker pool at runtime with no disruption to the router or other components that depend on service load balancer.
openshift-ci-robot
removed
the
approved
|
/test e2e-azure |
|
/retest |
abhinavdahiya
changed the title
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, jhixson74 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/lgtm Azure UPI ARM templates might need to be updated too. |
|
And probably for the LB changes too. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/bugzilla refresh |
|
@abhinavdahiya: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
abhinavdahiya
changed the title
openshift-ci-robot
added
bugzilla/severity-high
|
@smarterclayton: This pull request references Bugzilla bug 1794839, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@smarterclayton: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@smarterclayton: All pull requests linked via external trackers have merged: openshift/installer#3440, openshift/installer#3561. Bugzilla bug 1794839 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes service load balancer programs a cluster specific
Azure NSG automatically to expose service load balancers. OpenShift
requires all nodes to be able to host service load balancer workloads
and so the simplest configuration is to have a single network security
group for the whole cluster. This does require exposing port 6443 on
all nodes, but in practice this does not reduce security because we
cannot rely on network security within the cluster to protect
workloads.
As a result of this change, a 3 node compact Azure cluster can be
grown to have a worker pool at runtime with no disruption to the
router or other components that depend on service load balancer.