Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limited firewall rules at Hetzner - only 10 rules per server #8

Closed
rbo opened this issue Jun 4, 2021 · 4 comments
Closed

Limited firewall rules at Hetzner - only 10 rules per server #8

rbo opened this issue Jun 4, 2021 · 4 comments
Assignees
Labels
kind/design Design decision lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@rbo
Copy link
Member

rbo commented Jun 4, 2021

Hetzner supports only 10 firewall rules.

With the current configuration, the amount of nodes per cluster is limited to 5 nodes, this is definitely too low!

Current configuration:
image

Possible solutions:

  • Use iptables/firewalld from RHCOS. (Is this supported?)
  • More firewall rules. Question to Hetzner if this is an option. => Not possible.
  • Move all server into one Subnet. Question to Hetzner if this is an option. => Not possible.
@rbo rbo self-assigned this Jun 4, 2021
@rbo
Copy link
Member Author

rbo commented Jun 4, 2021

Case created at Hetzner (Ticket#2021060403010239) - case closed, both not possible.

@rbo
Copy link
Member Author

rbo commented Jun 4, 2021

  • Use iptables/firewalld from RHCOS. (Is this supported?)

"No, ovn-kubernetes is the one setting up the iptables rules that are causing the broken functionality...there's nothing the MCO can do in this case, I believe." Source internal slack.

@rbo rbo added the kind/design Design decision label Jun 4, 2021
rbo added a commit to rbo/hetzner-baremetal-openshift that referenced this issue Jun 23, 2021
rbo added a commit to rbo/hetzner-baremetal-openshift that referenced this issue Jun 23, 2021
sesheta pushed a commit that referenced this issue Jun 24, 2021
* Remove internal_ip not needed anymore

* Remove hetzner software raid after centos installation too

* Remove internal_hostname use inventory_hostname instead

* Setup dns & lb first before firewall

because configure-hrobot-firewall.yaml need ip of lb vm

* Update toolbox, add missing packages

* Update hosts.yaml.example

* Update haproxy config, add only masters & bootstrap

* Fixed issue #11 - setup raid on masters

* Clean ip firewall configuration, bacause of #8

* Wipe RHCOS Raid too part of #11

* Improve reboot

* Provide playbook to disable hetzner firewall

* Fix igntion creation to add worker node afterwards

* Update README, add how to add worker

* Add post installation step

* Add missing newline

* fix: Make pre-commit happy

Signed-off-by: Tomas Coufal <tcoufal@redhat.com>

Co-authored-by: Tomas Coufal <tcoufal@redhat.com>
@sesheta
Copy link
Member

sesheta commented Oct 15, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@sesheta sesheta added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 15, 2021
@rbo
Copy link
Member Author

rbo commented Oct 19, 2021

We can close this issue, this is a pure hetzner limitation we can change this. With #9 we try to figure out a new network design.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/design Design decision lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

2 participants