Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limited firewall rules at Hetzner - only 10 rules per server #8

Closed
rbo opened this issue Jun 4, 2021 · 4 comments
Closed

Limited firewall rules at Hetzner - only 10 rules per server #8

rbo opened this issue Jun 4, 2021 · 4 comments
Assignees
@rbo
Labels
kind/design Design decision lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@rbo
Copy link
Member

rbo commented Jun 4, 2021
edited
Loading

Hetzner supports only 10 firewall rules.

With the current configuration, the amount of nodes per cluster is limited to 5 nodes, this is definitely too low!

Current configuration:
image

Possible solutions:

  • Use iptables/firewalld from RHCOS. (Is this supported?)
  • More firewall rules. Question to Hetzner if this is an option. => Not possible.
  • Move all server into one Subnet. Question to Hetzner if this is an option. => Not possible.
@rbo rbo self-assigned this Jun 4, 2021
@rbo
Copy link
Member Author

rbo commented Jun 4, 2021
edited
Loading

Case created at Hetzner (Ticket#2021060403010239) - case closed, both not possible.

@rbo
Copy link
Member Author

rbo commented Jun 4, 2021

  • Use iptables/firewalld from RHCOS. (Is this supported?)

"No, ovn-kubernetes is the one setting up the iptables rules that are causing the broken functionality...there's nothing the MCO can do in this case, I believe." Source internal slack.

@rbo rbo mentioned this issue Jun 4, 2021
Closed
@rbo rbo added the kind/design Design decision label Jun 4, 2021
@rbo rbo mentioned this issue Jun 22, 2021
Closed
rbo added a commit to rbo/hetzner-baremetal-openshift that referenced this issue Jun 23, 2021
@rbo
Clean ip firewall configuration, bacause of operate-first#8
2f3f76e
rbo added a commit to rbo/hetzner-baremetal-openshift that referenced this issue Jun 23, 2021
@rbo
Clean ip firewall configuration, bacause of operate-first#8
0b3444a
@rbo rbo mentioned this issue Jun 23, 2021
Merged
sesheta pushed a commit that referenced this issue Jun 24, 2021
@rbo @tumido
Ready to deploy rick cluster (#13)
fe7beed 
* Remove internal_ip not needed anymore

* Remove hetzner software raid after centos installation too

* Remove internal_hostname use inventory_hostname instead

* Setup dns & lb first before firewall

because configure-hrobot-firewall.yaml need ip of lb vm

* Update toolbox, add missing packages

* Update hosts.yaml.example

* Update haproxy config, add only masters & bootstrap

* Fixed issue #11 - setup raid on masters

* Clean ip firewall configuration, bacause of #8

* Wipe RHCOS Raid too part of #11

* Improve reboot

* Provide playbook to disable hetzner firewall

* Fix igntion creation to add worker node afterwards

* Update README, add how to add worker

* Add post installation step

* Add missing newline

* fix: Make pre-commit happy

Signed-off-by: Tomas Coufal <tcoufal@redhat.com>

Co-authored-by: Tomas Coufal <tcoufal@redhat.com>
@sesheta
Copy link
Member

sesheta commented Oct 15, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@sesheta sesheta added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 15, 2021
@rbo
Copy link
Member Author

rbo commented Oct 19, 2021

We can close this issue, this is a pure hetzner limitation we can change this. With #9 we try to figure out a new network design.

@rbo rbo closed this as completed Oct 19, 2021
@rbo rbo mentioned this issue Oct 21, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rbo rbo

Labels
kind/design Design decision lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbo @sesheta