kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New OpenStack security group rules to allow scraping of metrics for 

kubeControllerManager and kubeScheduler
This commit is contained in:
Federico Chiacchiaretta 2023-06-07 18:02:00 +02:00
parent a9c1d14fcc
commit 110dd89eaf
No known key found for this signature in database
GPG Key ID: AB1DBFD6336243AB
1 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
pkg/model/openstackmodel/firewall.go
View File

@ -378,6 +378,50 @@ func (b *FirewallModelBuilder) addNodeExporterAndOccmRules(c *fi.CloudupModelBui
return nil return nil
} }
// addKubeControllerManagerMetricsRules - Add rules to 10257 port
func (b *FirewallModelBuilder) addKubeControllerManagerMetricsRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
// TODO: This is the default port for kube-controller-manager metrics and may be overridden
masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
masterSG := sgMap[masterName]
nodeSG := sgMap[nodeName]
kubeControllerManagerMetricsRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(IPProtocolTCP),
EtherType: s(IPV4),
PortRangeMin: i(10257),
PortRangeMax: i(10257),
}
// allow port 10257 from nodeSG to masterSG
b.addDirectionalGroupRule(c, masterSG, nodeSG, kubeControllerManagerMetricsRule)
return nil
}
// addKubeSchedulerMetricsRules - Add rules to 10259 port
func (b *FirewallModelBuilder) addKubeSchedulerMetricsRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
// TODO: This is the default port for kube-scheduler metrics and may be overridden
masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
masterSG := sgMap[masterName]
nodeSG := sgMap[nodeName]
kubeSchedulerMetricsRule := &openstacktasks.SecurityGroupRule{
Lifecycle: b.Lifecycle,
Direction: s(string(rules.DirIngress)),
Protocol: s(IPProtocolTCP),
EtherType: s(IPV4),
PortRangeMin: i(10259),
PortRangeMax: i(10259),
}
// allow port 10259 from nodeSG to masterSG
b.addDirectionalGroupRule(c, masterSG, nodeSG, kubeSchedulerMetricsRule)
return nil
}
// addDNSRules - Add DNS rules for internal DNS queries // addDNSRules - Add DNS rules for internal DNS queries
func (b *FirewallModelBuilder) addDNSRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error { func (b *FirewallModelBuilder) addDNSRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane) masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
@ -678,6 +722,10 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
b.addKubeletRules(c, sgMap) b.addKubeletRules(c, sgMap)
// Add Node exporter and occm metrics Rules // Add Node exporter and occm metrics Rules
b.addNodeExporterAndOccmRules(c, sgMap) b.addNodeExporterAndOccmRules(c, sgMap)
// Add kube controller manager metrics Rules
b.addKubeControllerManagerMetricsRules(c, sgMap)
// Add kube scheduler metrics Rules
b.addKubeSchedulerMetricsRules(c, sgMap)
// Protokube Rules // Protokube Rules
b.addProtokubeRules(c, sgMap) b.addProtokubeRules(c, sgMap)
// Kops-controller Rules // Kops-controller Rules