|
3 | 3 | **Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* |
4 | 4 |
|
5 | 5 | - [Required configuration](#required-configuration) |
6 | | - - [OpenStack Version](#openstack-version) |
| 6 | + - [OpenStack version](#openstack-version) |
7 | 7 | - [Operating system image](#operating-system-image) |
8 | 8 | - [SSH key pair](#ssh-key-pair) |
9 | 9 | - [OpenStack credential](#openstack-credential) |
|
19 | 19 | - [Multiple Networks](#multiple-networks) |
20 | 20 | - [Subnet Filters](#subnet-filters) |
21 | 21 | - [Ports](#ports) |
| 22 | + - [Security groups](#security-groups) |
22 | 23 | - [Tagging](#tagging) |
23 | 24 | - [Metadata](#metadata) |
24 | 25 | - [Boot From Volume](#boot-from-volume) |
@@ -77,19 +78,9 @@ openstack keypair create [--public-key <file> | --private-key <file>] <name> |
77 | 78 |
|
78 | 79 | The key pair name must be exposed as an environment variable `OPENSTACK_SSH_KEY_NAME`. |
79 | 80 |
|
80 | | -If you want to login to each machine by ssh, you can [access nodes through the bastion host via SSH](#accessing-nodes-through-the-bastion-host-via-ssh). Otherwise you have to configure security groups. If `spec.managedSecurityGroups` of `OpenStackCluster` set to true, two security groups will be created and added to the instances. One is `k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-controlplane`, another is `k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-worker`. These security group rules include the kubeadm's [Check required ports](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#check-required-ports) so that each node can not be logged in through ssh by default. Please add pre-existing security group allowing ssh port to OpenStackMachineTemplate spec. Here is an example: |
81 | | - |
82 | | -```yaml |
83 | | -apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 |
84 | | -kind: OpenStackMachineTemplate |
85 | | -metadata: |
86 | | - name: ${CLUSTER_NAME}-control-plane |
87 | | -spec: |
88 | | - template: |
89 | | - spec: |
90 | | - securityGroups: |
91 | | - - name: allow-ssh |
92 | | -``` |
| 81 | +In order to access cluster nodes via SSH, you must either |
| 82 | +[access nodes through the bastion host](#accessing-nodes-through-the-bastion-host-via-ssh) |
| 83 | +or [configure custom security groups](#security-groups) with rules allowing ingress for port 22. |
93 | 84 |
|
94 | 85 | ## OpenStack credential |
95 | 86 |
|
@@ -255,6 +246,47 @@ spec: |
255 | 246 | ... |
256 | 247 | ``` |
257 | 248 |
|
| 249 | +## Security groups |
| 250 | + |
| 251 | +Security groups are used to determine which ports of the cluster nodes are accessible from where. |
| 252 | + |
| 253 | +If `spec.managedSecurityGroups` of `OpenStackCluster` is set to `true`, two security groups named |
| 254 | +`k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-controlplane` and |
| 255 | +`k8s-cluster-${NAMESPACE}-${CLUSTER_NAME}-secgroup-worker` will be created and added to the control |
| 256 | +plane and worker nodes respectively. |
| 257 | + |
| 258 | +By default, these groups have rules that allow the following traffic: |
| 259 | + |
| 260 | + * Control plane nodes |
| 261 | + * API server traffic from anywhere |
| 262 | + * Etcd traffic from other control plane nodes |
| 263 | + * Kubelet traffic from other cluster nodes |
| 264 | + * Calico CNI traffic from other cluster nodes |
| 265 | + * Worker nodes |
| 266 | + * Node port traffic from anywhere |
| 267 | + * Kubelet traffic from other cluster nodes |
| 268 | + * Calico CNI traffic from other cluster nodes |
| 269 | + |
| 270 | +To use a CNI other than Calico, the flag `OpenStackCluster.spec.allowAllInClusterTraffic` can be |
| 271 | +set to `true`. With this flag set, the rules for the managed security groups permit all traffic |
| 272 | +between cluster nodes on all ports and protocols (API server and node port traffic is still |
| 273 | +permitted from anywhere, as with the default rules). |
| 274 | + |
| 275 | +If this is not flexible enough, pre-existing security groups can be added to the |
| 276 | +spec of an `OpenStackMachineTemplate`, e.g.: |
| 277 | + |
| 278 | +```yaml |
| 279 | +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 |
| 280 | +kind: OpenStackMachineTemplate |
| 281 | +metadata: |
| 282 | + name: ${CLUSTER_NAME}-control-plane |
| 283 | +spec: |
| 284 | + template: |
| 285 | + spec: |
| 286 | + securityGroups: |
| 287 | + - name: allow-ssh |
| 288 | +``` |
| 289 | + |
258 | 290 | ## Tagging |
259 | 291 |
|
260 | 292 | You have the ability to tag all resources created by the cluster in the `cluster.yaml` file. Here is an example how to configure tagging: |
|
0 commit comments