CadolesKube
/
typhoon
mirror of https://github.com/puppetmaster/typhoon.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change flannel port from 8472 to 4789 

* Change flannel port from the kernel default 8472 to the
IANA assigned VXLAN port 4789
* Update firewall rules or security groups for VXLAN
* Why now? Calico now offers its own VXLAN backend so
standardizing on the IANA port will simplify config
* https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan
This commit is contained in:
Dalton Hubble 2019-05-06 21:56:38 -07:00
parent 2d19ab8457
commit af18296bc5
16 changed files with 97 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES.md
View File

@ -6,6 +6,11 @@ Notable changes between versions.
* Update etcd from v3.3.12 to [v3.3.13](https://github.com/etcd-io/etcd/releases/tag/v3.3.13) * Update etcd from v3.3.12 to [v3.3.13](https://github.com/etcd-io/etcd/releases/tag/v3.3.13)
* Upgrade Calico from v3.6.1 to [v3.7.0](https://docs.projectcalico.org/v3.7/release-notes/) * Upgrade Calico from v3.6.1 to [v3.7.0](https://docs.projectcalico.org/v3.7/release-notes/)
* Change flannel port from 8472 (kernel default) to 4789 (IANA VXLAN)
#### AWS
* Only set internal VXLAN rules when `networking` is flannel (default: calico)
#### Addons #### Addons

2
aws/container-linux/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

60
aws/container-linux/kubernetes/security.tf
View File

@ -42,6 +42,30 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
resource "aws_security_group_rule" "controller-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 4789
to_port = 4789
source_security_group_id = "${aws_security_group.worker.id}"
}
resource "aws_security_group_rule" "controller-vxlan-self" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 4789
to_port = 4789
self = true
}
resource "aws_security_group_rule" "controller-apiserver" { resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -52,26 +76,6 @@ resource "aws_security_group_rule" "controller-apiserver" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "controller-flannel" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 8472
to_port = 8472
source_security_group_id = "${aws_security_group.worker.id}"
}
resource "aws_security_group_rule" "controller-flannel-self" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 8472
to_port = 8472
self = true
}
# Allow Prometheus to scrape node-exporter daemonset # Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "controller-node-exporter" { resource "aws_security_group_rule" "controller-node-exporter" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -216,23 +220,27 @@ resource "aws_security_group_rule" "worker-https" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "worker-flannel" { resource "aws_security_group_rule" "worker-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
type = "ingress" type = "ingress"
protocol = "udp" protocol = "udp"
from_port = 8472 from_port = 4789
to_port = 8472 to_port = 4789
source_security_group_id = "${aws_security_group.controller.id}" source_security_group_id = "${aws_security_group.controller.id}"
} }
resource "aws_security_group_rule" "worker-flannel-self" { resource "aws_security_group_rule" "worker-vxlan-self" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
type = "ingress" type = "ingress"
protocol = "udp" protocol = "udp"
from_port = 8472 from_port = 4789
to_port = 8472 to_port = 4789
self = true self = true
} }

2
aws/fedora-atomic/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

60
aws/fedora-atomic/kubernetes/security.tf
View File

@ -42,6 +42,30 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
resource "aws_security_group_rule" "controller-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 4789
to_port = 4789
source_security_group_id = "${aws_security_group.worker.id}"
}
resource "aws_security_group_rule" "controller-vxlan-self" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 4789
to_port = 4789
self = true
}
resource "aws_security_group_rule" "controller-apiserver" { resource "aws_security_group_rule" "controller-apiserver" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -52,26 +76,6 @@ resource "aws_security_group_rule" "controller-apiserver" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "controller-flannel" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 8472
to_port = 8472
source_security_group_id = "${aws_security_group.worker.id}"
}
resource "aws_security_group_rule" "controller-flannel-self" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "udp"
from_port = 8472
to_port = 8472
self = true
}
# Allow Prometheus to scrape node-exporter daemonset # Allow Prometheus to scrape node-exporter daemonset
resource "aws_security_group_rule" "controller-node-exporter" { resource "aws_security_group_rule" "controller-node-exporter" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"
@ -216,23 +220,27 @@ resource "aws_security_group_rule" "worker-https" {
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
resource "aws_security_group_rule" "worker-flannel" { resource "aws_security_group_rule" "worker-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
type = "ingress" type = "ingress"
protocol = "udp" protocol = "udp"
from_port = 8472 from_port = 4789
to_port = 8472 to_port = 4789
source_security_group_id = "${aws_security_group.controller.id}" source_security_group_id = "${aws_security_group.controller.id}"
} }
resource "aws_security_group_rule" "worker-flannel-self" { resource "aws_security_group_rule" "worker-vxlan-self" {
count = "${var.networking == "flannel" ? 1 : 0}"
security_group_id = "${aws_security_group.worker.id}" security_group_id = "${aws_security_group.worker.id}"
type = "ingress" type = "ingress"
protocol = "udp" protocol = "udp"
from_port = 8472 from_port = 4789
to_port = 8472 to_port = 4789
self = true self = true
} }

2
azure/container-linux/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

12
azure/container-linux/kubernetes/security.tf
View File

@ -68,17 +68,17 @@ resource "azurerm_network_security_rule" "controller-apiserver" {
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
} }
resource "azurerm_network_security_rule" "controller-flannel" { resource "azurerm_network_security_rule" "controller-vxlan" {
resource_group_name = "${azurerm_resource_group.cluster.name}" resource_group_name = "${azurerm_resource_group.cluster.name}"
name = "allow-flannel" name = "allow-vxlan"
network_security_group_name = "${azurerm_network_security_group.controller.name}" network_security_group_name = "${azurerm_network_security_group.controller.name}"
priority = "2020" priority = "2020"
access = "Allow" access = "Allow"
direction = "Inbound" direction = "Inbound"
protocol = "Udp" protocol = "Udp"
source_port_range = "*" source_port_range = "*"
destination_port_range = "8472" destination_port_range = "4789"
source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"] source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"]
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
} }
@ -204,17 +204,17 @@ resource "azurerm_network_security_rule" "worker-https" {
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
} }
resource "azurerm_network_security_rule" "worker-flannel" { resource "azurerm_network_security_rule" "worker-vxlan" {
resource_group_name = "${azurerm_resource_group.cluster.name}" resource_group_name = "${azurerm_resource_group.cluster.name}"
name = "allow-flannel" name = "allow-vxlan"
network_security_group_name = "${azurerm_network_security_group.worker.name}" network_security_group_name = "${azurerm_network_security_group.worker.name}"
priority = "2015" priority = "2015"
access = "Allow" access = "Allow"
direction = "Inbound" direction = "Inbound"
protocol = "Udp" protocol = "Udp"
source_port_range = "*" source_port_range = "*"
destination_port_range = "8472" destination_port_range = "4789"
source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"] source_address_prefixes = ["${azurerm_subnet.controller.address_prefix}", "${azurerm_subnet.worker.address_prefix}"]
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
} }

2
bare-metal/container-linux/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${var.k8s_domain_name}"] api_servers = ["${var.k8s_domain_name}"]

2
bare-metal/fedora-atomic/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${var.k8s_domain_name}"] api_servers = ["${var.k8s_domain_name}"]

2
digital-ocean/container-linux/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

2
digital-ocean/container-linux/kubernetes/network.tf
View File

@ -12,7 +12,7 @@ resource "digitalocean_firewall" "rules" {
}, },
{ {
protocol = "udp" protocol = "udp"
port_range = "8472" port_range = "4789"
source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"] source_tags = ["${digitalocean_tag.controllers.name}", "${digitalocean_tag.workers.name}"]
}, },
{ {

2
digital-ocean/fedora-atomic/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

2
google-cloud/container-linux/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

8
google-cloud/container-linux/kubernetes/network.tf
View File

@ -78,16 +78,16 @@ resource "google_compute_firewall" "internal-bgp" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# flannel # flannel VXLAN
resource "google_compute_firewall" "internal-flannel" { resource "google_compute_firewall" "internal-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}" count = "${var.networking == "flannel" ? 1 : 0}"
name = "${var.cluster_name}-internal-flannel" name = "${var.cluster_name}-internal-vxlan"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
allow { allow {
protocol = "udp" protocol = "udp"
ports = [8472] ports = [4789]
} }
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]

2
google-cloud/fedora-atomic/kubernetes/bootkube.tf
View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=b96d641f6d42cf5d9bf3ac36f557aa21cc157680" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=fc7a6fb20abe41ccd40f3449ee8ee7bba7bd9932"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

8
google-cloud/fedora-atomic/kubernetes/network.tf
View File

@ -78,16 +78,16 @@ resource "google_compute_firewall" "internal-bgp" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
} }
# flannel # flannel VXLAN
resource "google_compute_firewall" "internal-flannel" { resource "google_compute_firewall" "internal-vxlan" {
count = "${var.networking == "flannel" ? 1 : 0}" count = "${var.networking == "flannel" ? 1 : 0}"
name = "${var.cluster_name}-internal-flannel" name = "${var.cluster_name}-internal-vxlan"
network = "${google_compute_network.network.name}" network = "${google_compute_network.network.name}"
allow { allow {
protocol = "udp" protocol = "udp"
ports = [8472] ports = [4789]
} }
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]