mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-25 07:09:34 +01:00
Disable Kubelet read-only port 10255
* We can finally disable the Kubelet read-only port 10255! * Journey: https://github.com/poseidon/typhoon/issues/322#issuecomment-431073073
This commit is contained in:
parent
bc750aec33
commit
99a6d5478b
@ -5,6 +5,7 @@ Notable changes between versions.
|
|||||||
## Latest
|
## Latest
|
||||||
|
|
||||||
* Fix CoreDNS AntiAffinity spec to prefer spreading replicas
|
* Fix CoreDNS AntiAffinity spec to prefer spreading replicas
|
||||||
|
* Disable Kubelet read-only port ([#324](https://github.com/poseidon/typhoon/pull/324))
|
||||||
|
|
||||||
#### AWS
|
#### AWS
|
||||||
|
|
||||||
|
@ -88,6 +88,7 @@ systemd:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
|
@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
|
|||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "aws_security_group_rule" "controller-kubelet-read" {
|
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
source_security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "controller-kubelet-read-self" {
|
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
self = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "controller-bgp" {
|
resource "aws_security_group_rule" "controller-bgp" {
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
security_group_id = "${aws_security_group.controller.id}"
|
||||||
|
|
||||||
@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
|
|||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "aws_security_group_rule" "worker-kubelet-read" {
|
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
source_security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-kubelet-read-self" {
|
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
self = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-bgp" {
|
resource "aws_security_group_rule" "worker-bgp" {
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
security_group_id = "${aws_security_group.worker.id}"
|
||||||
|
|
||||||
|
@ -60,6 +60,7 @@ systemd:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -65,6 +65,7 @@ write_files:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
|
@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
|
|||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "aws_security_group_rule" "controller-kubelet-read" {
|
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
source_security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "controller-kubelet-read-self" {
|
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
self = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "controller-bgp" {
|
resource "aws_security_group_rule" "controller-bgp" {
|
||||||
security_group_id = "${aws_security_group.controller.id}"
|
security_group_id = "${aws_security_group.controller.id}"
|
||||||
|
|
||||||
@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
|
|||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "aws_security_group_rule" "worker-kubelet-read" {
|
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
source_security_group_id = "${aws_security_group.controller.id}"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-kubelet-read-self" {
|
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10255
|
|
||||||
to_port = 10255
|
|
||||||
self = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-bgp" {
|
resource "aws_security_group_rule" "worker-bgp" {
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
security_group_id = "${aws_security_group.worker.id}"
|
||||||
|
|
||||||
|
@ -43,6 +43,7 @@ write_files:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
permissions: '0644'
|
permissions: '0644'
|
||||||
|
@ -88,6 +88,7 @@ systemd:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
|
@ -117,22 +117,6 @@ resource "azurerm_network_security_rule" "controller-kubelet" {
|
|||||||
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
|
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "azurerm_network_security_rule" "controller-kubelet-read" {
|
|
||||||
resource_group_name = "${azurerm_resource_group.cluster.name}"
|
|
||||||
|
|
||||||
name = "allow-kubelet-read"
|
|
||||||
network_security_group_name = "${azurerm_network_security_group.controller.name}"
|
|
||||||
priority = "2035"
|
|
||||||
access = "Allow"
|
|
||||||
direction = "Inbound"
|
|
||||||
protocol = "Tcp"
|
|
||||||
source_port_range = "*"
|
|
||||||
destination_port_range = "10255"
|
|
||||||
source_address_prefix = "${azurerm_subnet.worker.address_prefix}"
|
|
||||||
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
|
# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
|
||||||
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
|
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
|
||||||
|
|
||||||
@ -269,22 +253,6 @@ resource "azurerm_network_security_rule" "worker-kubelet" {
|
|||||||
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
|
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "azurerm_network_security_rule" "worker-kubelet-read" {
|
|
||||||
resource_group_name = "${azurerm_resource_group.cluster.name}"
|
|
||||||
|
|
||||||
name = "allow-kubelet-read"
|
|
||||||
network_security_group_name = "${azurerm_network_security_group.worker.name}"
|
|
||||||
priority = "2030"
|
|
||||||
access = "Allow"
|
|
||||||
direction = "Inbound"
|
|
||||||
protocol = "Tcp"
|
|
||||||
source_port_range = "*"
|
|
||||||
destination_port_range = "10255"
|
|
||||||
source_address_prefix = "${azurerm_subnet.worker.address_prefix}"
|
|
||||||
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
|
# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
|
||||||
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
|
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
|
||||||
|
|
||||||
|
@ -60,6 +60,7 @@ systemd:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -97,6 +97,7 @@ systemd:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
|
@ -69,6 +69,7 @@ systemd:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -51,6 +51,7 @@ write_files:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/systemd/system/kubelet.path
|
- path: /etc/systemd/system/kubelet.path
|
||||||
|
@ -29,6 +29,7 @@ write_files:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/systemd/system/kubelet.path
|
- path: /etc/systemd/system/kubelet.path
|
||||||
content: |
|
content: |
|
||||||
|
@ -100,6 +100,7 @@ systemd:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
|
@ -72,6 +72,7 @@ systemd:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -65,6 +65,7 @@ write_files:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/systemd/system/kubelet.path
|
- path: /etc/systemd/system/kubelet.path
|
||||||
|
@ -43,6 +43,7 @@ write_files:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/systemd/system/kubelet.path
|
- path: /etc/systemd/system/kubelet.path
|
||||||
content: |
|
content: |
|
||||||
|
@ -90,6 +90,7 @@ systemd:
|
|||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" {
|
|||||||
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "google_compute_firewall" "internal-kubelet-readonly" {
|
|
||||||
name = "${var.cluster_name}-internal-kubelet-readonly"
|
|
||||||
network = "${google_compute_network.network.name}"
|
|
||||||
|
|
||||||
allow {
|
|
||||||
protocol = "tcp"
|
|
||||||
ports = [10255]
|
|
||||||
}
|
|
||||||
|
|
||||||
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
|
||||||
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Workers
|
# Workers
|
||||||
|
|
||||||
resource "google_compute_firewall" "allow-ingress" {
|
resource "google_compute_firewall" "allow-ingress" {
|
||||||
|
@ -61,6 +61,7 @@ systemd:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||||
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -66,6 +66,7 @@ write_files:
|
|||||||
--node-labels=node-role.kubernetes.io/master \
|
--node-labels=node-role.kubernetes.io/master \
|
||||||
--node-labels=node-role.kubernetes.io/controller="true" \
|
--node-labels=node-role.kubernetes.io/controller="true" \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
|
@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" {
|
|||||||
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow heapster / metrics-server to scrape kubelet read-only
|
|
||||||
resource "google_compute_firewall" "internal-kubelet-readonly" {
|
|
||||||
name = "${var.cluster_name}-internal-kubelet-readonly"
|
|
||||||
network = "${google_compute_network.network.name}"
|
|
||||||
|
|
||||||
allow {
|
|
||||||
protocol = "tcp"
|
|
||||||
ports = [10255]
|
|
||||||
}
|
|
||||||
|
|
||||||
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
|
||||||
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Workers
|
# Workers
|
||||||
|
|
||||||
resource "google_compute_firewall" "allow-ingress" {
|
resource "google_compute_firewall" "allow-ingress" {
|
||||||
|
@ -44,6 +44,7 @@ write_files:
|
|||||||
--network-plugin=cni \
|
--network-plugin=cni \
|
||||||
--node-labels=node-role.kubernetes.io/node \
|
--node-labels=node-role.kubernetes.io/node \
|
||||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||||
|
--read-only-port=0 \
|
||||||
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
permissions: '0644'
|
permissions: '0644'
|
||||||
|
Loading…
Reference in New Issue
Block a user