Bug 1794839: data/azure: Use a single network security group for Azure clusters #3561
Commits on May 6, 2020
-
data/azure: Use a single network security group for Azure clusters
The Kubernetes service load balancer programs a cluster specific Azure NSG automatically to expose service load balancers. OpenShift requires all nodes to be able to host service load balancer workloads and so the simplest configuration is to have a single network security group for the whole cluster. This does require exposing port 6443 on all nodes, but in practice this does not reduce security because we cannot rely on network security within the cluster to protect workloads. As a result of this change, a 3 node compact Azure cluster can be grown to have a worker pool at runtime with no disruption to the router or other components that depend on service load balancer.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.