Prometheus: add firewall rules for node exporter #7860
Conversation
openshift-ci-robot
added
the
size/M
Adds the framework for firewall rules to the prometheus role and the settings for the node exporter port to use it. Invoked from the playbook as it affects a different set of hosts than the rest of the role (first master vs nodes).
codificat
force-pushed
the
node-exporter-firewall
branch
from
461044c
to
94e2ba5
Compare
|
This is nice! It should solve the issue i ran in to when trying to fix this bug #6636 |
|
Also seeing this for issue #7999 👍 |
|
/retest |
|
@sdodson: GitHub didn't allow me to assign the following users: danmace. Note that only openshift members and repo collaborators can be assigned. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @ironcladlou |
|
IIRC there was the same problem on GCE and I remember that we require an entire range of ports to be open. 9000-10000 if I recall correctly. I’m not the right person to review this beyond that either though, I have little knowledge of ansible itself and the modules involved. |
|
@brancz if you can define the firewall requirements for the node exporter to work properly then I can make sure the ansible code applies those requirements. |
|
@smarterclayton mentioned here, that the whole 9k-10k range is to be open for use of OpenShift cluster/node services. Sounds to me like we should be doing the same on all platforms. |
|
Yes. Every single openshift cluster everywhere should be 9k-10k inside the
bounds of the firewall for use by admins (who have perms to do host
network).
…On Wed, Jun 13, 2018 at 4:30 PM, Frederic Branczyk ***@***.*** > wrote:
@smarterclayton <https://github.com/smarterclayton> mentioned here
<#7862 (comment)>,
that the whole 9k-10k range is to be open for use of OpenShift cluster/node
services. Sounds to me like we should be doing the same on all platforms.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7860 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p_Vcsa09y_o8R9hof2C2ye5mmqSwks5t8XZSgaJpZM4TMulV>
.
|
|
#9072 has been merged so this change becomes obsolete. |
|
Ok, closing it then. |
Adds the framework for firewall rules to the prometheus role and the settings for the node exporter port to use it.
The firewall setup is called from the playbook as it affects a different set of hosts than the rest of the role (first master vs nodes).