Open AWS security group port range tcp/9000-10000 #6920
Conversation
Ports tcp/9000-10000 have been designated for intra-cluster services, such as prometheus node_exporter (tcp/9100) where infra nodes must be able to scrape targets on all nodes, including master, infra and compute nodes. This range is reserved for this service type. Signed-off-by: Aaron Weitekamp <aweiteka@redhat.com>
openshift-ci-robot
added
the
size/XS
|
/cc @smarterclayton |
| @@ -244,6 +244,11 @@ openshift_aws_node_security_groups: | |||
| from_port: all | |||
| to_port: all | |||
| group_name: "{{ openshift_aws_clusterid }}" | |||
| - proto: tcp | |||
There was a problem hiding this comment.
I think we should default this for GCP as well. openshift_node_open_ports is supposed to get added to the firewall rules. If we default openshift_node_open_ports, then loop through it to set this default, we can keep it consistent between both
There was a problem hiding this comment.
The default on GCP is:
openshift_node_open_ports: [{"service":"Router stats port", "port":"1936/tcp"}, {"service":"Allowed open host ports", "port":"9000-10000/tcp"}, {"service":"Allowed open host ports", "port":"9000-10000/udp"}]
There was a problem hiding this comment.
@smarterclayton, Are you wanting to combine these ports with the currently defined loadbalancer ports?
There was a problem hiding this comment.
The line above this allows:
- proto: all
from_port: all
to_port: all
group_name: "{{ openshift_aws_clusterid }}"
Is this change necessary? If we remove the all to all then this should be good but with how it stands today it should work. Maybe I missed something.
There was a problem hiding this comment.
I confirmed this change is necessary.
|
/retest |
|
@aweiteka while i appreciate and agree with reserving a portRange, what do you do for those who's apps do fall exactly within that portRange? In my case we do have to extend the servicePortRange cause my app do use 9101/2 tcp ports. Ideally would be nice to have
@aweiteka you agree ? |
|
Supporting port range in in GCE/AWS is simple via variable (default to 9000-10000, can override @DanyC97). However it looks like our iptables module doesn't support port range. Given my lack of experience testing all environments I'm reluctant to get too deep into this. @kwoodson any thoughts on how to handle this in the short term? openshift_node_open_ports defaults to |
|
@aweiteka: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Master branch is closed! A major refactor is ongoing in devel-40. Changes for 3.x should be made directly to the latest release branch they're relevant to and backported from there. |
Ports tcp/9000-10000 have been designated for intra-cluster
services, such as prometheus node_exporter (tcp/9100) where
infra nodes must be able to scrape targets on all nodes,
including master, infra and compute nodes.
This range is reserved for this service type.
Signed-off-by: Aaron Weitekamp aweiteka@redhat.com