Kubeadm: Document source components for required ports for master and worker nodes

Created on 25 Apr 2018  路  2Comments  路  Source: kubernetes/kubeadm

In the "Installing kubeadm" document, the "Check required ports" section indicates the inbound port ranges required for various components and purposes. However, it does not indicate _which other components open connections on these ports_.

When writing firewall rules for the cluster鈥攕uch as with AWS security group rules鈥攊t's necessary to specify the source of the inbound traffic, whether with IP addresses or logical groups of client machines (security groups). It would help if these "required ports" tables had one more column that indicated _from where we can expect the connections on each of these ports to originate_.

For instance, I _think_鈥攂ut am not sure鈥攖hat the _kubelets_ on worker nodes connect to the API server, and, conversely, the API server connects to them for _kubectl exec_ and _kubectl logs_. What else connects to the "Kubelet API" port (10250) on the nodes? How about the "Read-only Kubelet API" port (10255). Does anything connect to the "etcd server client API" ports other than the API server?

I expect that I could resolve these questions after a long period of experimentation, incrementally relaxing the firewall's restrictions by diagnosing the logs, but we could save people that time and effort by documenting the source of this traffic in this table.

I concede that it's _possible_ to write firewall rules that allow this inbound traffic to originate anywhere, but I'd prefer to be more specific.

What keywords did you search in kubeadm issues before filing this one?

_install required ports source_

Is this a BUG REPORT or FEATURE REQUEST?

FEATURE REQUEST

This is either a defect in the existing documentation or a request to improve the documentation as a feature; I could argue it either way.

What happened?

I studied the documentation, but found that it lacked details that I need in order to write proper firewall rules for my cluster.

What you expected to happen?

The two aforementioned tables would mention which components connect to which others on which ports.

Anything else we need to know?

If we're able to at least collect the facts in subsequent discussion here, I'm willing to submit a PR to update the tables, though the width might be a problem with a fifth column.

kindocumentation prioritimportant-longterm
Source
picture seh

Most helpful comment

Agreed, we could definitely expand the docs here.
We have built tools that do this downstream and we should outline.
xref 1: https://github.com/heptiolabs/wardroom
xref 2: https://github.com/heptio/aws-quickstart

picture timothysc on 25 Apr 2018
👍3

All 2 comments

Agreed, we could definitely expand the docs here.
We have built tools that do this downstream and we should outline.
xref 1: https://github.com/heptiolabs/wardroom
xref 2: https://github.com/heptio/aws-quickstart

timothysc picture timothysc on 25 Apr 2018
👍3

Thanks. I think I found the pertinent portion of the AWS Quickstart template here.

My current set of rules are narrower and more specific than those, but I have no confidence yet that they're correct. I was trying to express what's in those tables, using a security group for each of the following categories, anticipating that some machines will adopt more than one group:

  • load balancer
  • API server
  • other master components
  • _etcd_
  • node
seh picture seh on 25 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bruceauyeung picture bruceauyeung  路  4Comments
chuckha picture chuckha  路  3Comments
ggee picture ggee  路  4Comments
RakeshNagarajan picture RakeshNagarajan  路  4Comments
ggaaooppeenngg picture ggaaooppeenngg  路  4Comments