diff --git a/CHANGES.md b/CHANGES.md index 3abf044c..96d2f099 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,11 @@ Notable changes between versions. * Update etcd from v3.3.12 to [v3.3.13](https://github.com/etcd-io/etcd/releases/tag/v3.3.13) * Upgrade Calico from v3.6.1 to [v3.7.0](https://docs.projectcalico.org/v3.7/release-notes/) +* Change flannel port from 8472 (kernel default) to 4789 (IANA VXLAN) + +#### AWS + +* Only set internal VXLAN rules when `networking` is flannel (default: calico) #### Addons diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index 416ae51c..60e05daf 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/container-linux/kubernetes/security.tf b/aws/container-linux/kubernetes/security.tf index fc7b959a..7672a92e 100644 --- a/aws/container-linux/kubernetes/security.tf +++ b/aws/container-linux/kubernetes/security.tf @@ -42,6 +42,30 @@ resource "aws_security_group_rule" "controller-etcd-metrics" { source_security_group_id = "${aws_security_group.worker.id}" } +resource "aws_security_group_rule" "controller-vxlan" { + count = "${var.networking == "flannel" ? 1 : 0}" + + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "udp" + from_port = 4789 + to_port = 4789 + source_security_group_id = "${aws_security_group.worker.id}" +} + +resource "aws_security_group_rule" "controller-vxlan-self" { + count = "${var.networking == "flannel" ? 1 : 0}" + + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "udp" + from_port = 4789 + to_port = 4789 + self = true +} + resource "aws_security_group_rule" "controller-apiserver" { security_group_id = "${aws_security_group.controller.id}" @@ -52,26 +76,6 @@ resource "aws_security_group_rule" "controller-apiserver" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "controller-flannel" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "udp" - from_port = 8472 - to_port = 8472 - source_security_group_id = "${aws_security_group.worker.id}" -} - -resource "aws_security_group_rule" "controller-flannel-self" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "udp" - from_port = 8472 - to_port = 8472 - self = true -} - # Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "controller-node-exporter" { security_group_id = "${aws_security_group.controller.id}" @@ -216,23 +220,27 @@ resource "aws_security_group_rule" "worker-https" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "worker-flannel" { +resource "aws_security_group_rule" "worker-vxlan" { + count = "${var.networking == "flannel" ? 1 : 0}" + security_group_id = "${aws_security_group.worker.id}" type = "ingress" protocol = "udp" - from_port = 8472 - to_port = 8472 + from_port = 4789 + to_port = 4789 source_security_group_id = "${aws_security_group.controller.id}" } -resource "aws_security_group_rule" "worker-flannel-self" { +resource "aws_security_group_rule" "worker-vxlan-self" { + count = "${var.networking == "flannel" ? 1 : 0}" + security_group_id = "${aws_security_group.worker.id}" type = "ingress" protocol = "udp" - from_port = 8472 - to_port = 8472 + from_port = 4789 + to_port = 4789 self = true } diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index 89ab7c15..5df842ef 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/fedora-atomic/kubernetes/security.tf b/aws/fedora-atomic/kubernetes/security.tf index fc7b959a..7672a92e 100644 --- a/aws/fedora-atomic/kubernetes/security.tf +++ b/aws/fedora-atomic/kubernetes/security.tf @@ -42,6 +42,30 @@ resource "aws_security_group_rule" "controller-etcd-metrics" { source_security_group_id = "${aws_security_group.worker.id}" } +resource "aws_security_group_rule" "controller-vxlan" { + count = "${var.networking == "flannel" ? 1 : 0}" + + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "udp" + from_port = 4789 + to_port = 4789 + source_security_group_id = "${aws_security_group.worker.id}" +} + +resource "aws_security_group_rule" "controller-vxlan-self" { + count = "${var.networking == "flannel" ? 1 : 0}" + + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "udp" + from_port = 4789 + to_port = 4789 + self = true +} + resource "aws_security_group_rule" "controller-apiserver" { security_group_id = "${aws_security_group.controller.id}" @@ -52,26 +76,6 @@ resource "aws_security_group_rule" "controller-apiserver" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "controller-flannel" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "udp" - from_port = 8472 - to_port = 8472 - source_security_group_id = "${aws_security_group.worker.id}" -} - -resource "aws_security_group_rule" "controller-flannel-self" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "udp" - from_port = 8472 - to_port = 8472 - self = true -} - # Allow Prometheus to scrape node-exporter daemonset resource "aws_security_group_rule" "controller-node-exporter" { security_group_id = "${aws_security_group.controller.id}" @@ -216,23 +220,27 @@ resource "aws_security_group_rule" "worker-https" { cidr_blocks = ["0.0.0.0/0"] } -resource "aws_security_group_rule" "worker-flannel" { +resource "aws_security_group_rule" "worker-vxlan" { + count = "${var.networking == "flannel" ? 1 : 0}" + security_group_id = "${aws_security_group.worker.id}" type = "ingress" protocol = "udp" - from_port = 8472 - to_port = 8472 + from_port = 4789 + to_port = 4789 source_security_group_id = "${aws_security_group.controller.id}" } -resource "aws_security_group_rule" "worker-flannel-self" { +resource "aws_security_group_rule" "worker-vxlan-self" { + count = "${var.networking == "flannel" ? 1 : 0}" + security_group_id = "${aws_security_group.worker.id}" type = "ingress" protocol = "udp" - from_port = 8472 - to_port = 8472 + from_port = 4789 + to_port = 4789 self = true } diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf index a23afa20..884bbbba 100644 --- a/azure/container-linux/kubernetes/bootkube.tf +++ b/azure/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/azure/container-linux/kubernetes/security.tf b/azure/container-linux/kubernetes/security.tf index 9f1d3463..13830709 100644 --- a/azure/container-linux/kubernetes/security.tf +++ b/azure/container-linux/kubernetes/security.tf @@ -68,17 +68,17 @@ resource "azurerm_network_security_rule" "controller-apiserver" { destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" } -resource "azurerm_network_security_rule" "controller-flannel" { +resource "azurerm_network_security_rule" "controller-vxlan" { resource_group_name = "${azurerm_resource_group.cluster.name}" - name = "allow-flannel" + name = "allow-vxlan" network_security_group_name = "${azurerm_network_security_group.controller.name}" priority = "2020" access = "Allow" direction = "Inbound" protocol = "Udp" source_port_range = "*" - destination_port_range = "8472" + destination_port_range = "4789" source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"] destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" } @@ -204,17 +204,17 @@ resource "azurerm_network_security_rule" "worker-https" { destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" } -resource "azurerm_network_security_rule" "worker-flannel" { +resource "azurerm_network_security_rule" "worker-vxlan" { resource_group_name = "${azurerm_resource_group.cluster.name}" - name = "allow-flannel" + name = "allow-vxlan" network_security_group_name = "${azurerm_network_security_group.worker.name}" priority = "2015" access = "Allow" direction = "Inbound" protocol = "Udp" source_port_range = "*" - destination_port_range = "8472" + destination_port_range = "4789" source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"] destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" } diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index 3222ca96..86ab9f04 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index 25eb150a..f57c7e8c 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index df06e23c..911c90fe 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/container-linux/kubernetes/network.tf b/digital-ocean/container-linux/kubernetes/network.tf index 52cf7fb1..76342f66 100644 --- a/digital-ocean/container-linux/kubernetes/network.tf +++ b/digital-ocean/container-linux/kubernetes/network.tf @@ -12,7 +12,7 @@ resource "digitalocean_firewall" "rules" { }, { protocol = "udp" - port_range = "8472" + port_range = "4789" source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"] }, { diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 801ec6b4..fff4b5de 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index ca1718da..1c1b7965 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/network.tf b/google-cloud/container-linux/kubernetes/network.tf index 04496186..e4d698cc 100644 --- a/google-cloud/container-linux/kubernetes/network.tf +++ b/google-cloud/container-linux/kubernetes/network.tf @@ -78,16 +78,16 @@ resource "google_compute_firewall" "internal-bgp" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# flannel -resource "google_compute_firewall" "internal-flannel" { +# flannel VXLAN +resource "google_compute_firewall" "internal-vxlan" { count = "${var.networking == "flannel" ? 1 : 0}" - name = "${var.cluster_name}-internal-flannel" + name = "${var.cluster_name}-internal-vxlan" network = "${google_compute_network.network.name}" allow { protocol = "udp" - ports = [8472] + ports = [4789] } source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index 88ab8812..eafe60aa 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/fedora-atomic/kubernetes/network.tf b/google-cloud/fedora-atomic/kubernetes/network.tf index a507ce8e..ecfe7ae7 100644 --- a/google-cloud/fedora-atomic/kubernetes/network.tf +++ b/google-cloud/fedora-atomic/kubernetes/network.tf @@ -78,16 +78,16 @@ resource "google_compute_firewall" "internal-bgp" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# flannel -resource "google_compute_firewall" "internal-flannel" { +# flannel VXLAN +resource "google_compute_firewall" "internal-vxlan" { count = "${var.networking == "flannel" ? 1 : 0}" - name = "${var.cluster_name}-internal-flannel" + name = "${var.cluster_name}-internal-vxlan" network = "${google_compute_network.network.name}" allow { protocol = "udp" - ports = [8472] + ports = [4789] } source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]