Document source components for required ports for master and worker nodes #770
Assignees
Labels
kind/documentation
Categorizes issue or PR as related to documentation.
priority/important-longterm
Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
Comments
|
Agreed, we could definitely expand the docs here. |
timothysc
added
help wanted
|
Thanks. I think I found the pertinent portion of the AWS Quickstart template here. My current set of rules are narrower and more specific than those, but I have no confidence yet that they're correct. I was trying to express what's in those tables, using a security group for each of the following categories, anticipating that some machines will adopt more than one group:
|
luxas
removed
the
help wanted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the "Installing kubeadm" document, the "Check required ports" section indicates the inbound port ranges required for various components and purposes. However, it does not indicate which other components open connections on these ports.
When writing firewall rules for the cluster—such as with AWS security group rules—it's necessary to specify the source of the inbound traffic, whether with IP addresses or logical groups of client machines (security groups). It would help if these "required ports" tables had one more column that indicated from where we can expect the connections on each of these ports to originate.
For instance, I think—but am not sure—that the kubelets on worker nodes connect to the API server, and, conversely, the API server connects to them for kubectl exec and kubectl logs. What else connects to the "Kubelet API" port (10250) on the nodes? How about the "Read-only Kubelet API" port (10255). Does anything connect to the "etcd server client API" ports other than the API server?
I expect that I could resolve these questions after a long period of experimentation, incrementally relaxing the firewall's restrictions by diagnosing the logs, but we could save people that time and effort by documenting the source of this traffic in this table.
I concede that it's possible to write firewall rules that allow this inbound traffic to originate anywhere, but I'd prefer to be more specific.
What keywords did you search in kubeadm issues before filing this one?
install required ports source
Is this a BUG REPORT or FEATURE REQUEST?
FEATURE REQUEST
This is either a defect in the existing documentation or a request to improve the documentation as a feature; I could argue it either way.
What happened?
I studied the documentation, but found that it lacked details that I need in order to write proper firewall rules for my cluster.
What you expected to happen?
The two aforementioned tables would mention which components connect to which others on which ports.
Anything else we need to know?
If we're able to at least collect the facts in subsequent discussion here, I'm willing to submit a PR to update the tables, though the width might be a problem with a fifth column.
The text was updated successfully, but these errors were encountered: