From 1cf7800f45dffd0994a56e541c8f80d3f474aec7 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Mon, 10 Jul 2023 20:02:46 -0700 Subject: [PATCH] Add partials for Hugo shortcodes from migration --- docs/os/os.md | 8 +- docs/shared-files/_ports-rke-nodes.md | 9 +++ docs/shared-files/_requirements_ports_rke.md | 81 ++++++++++++++++++++ 3 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 docs/shared-files/_ports-rke-nodes.md create mode 100644 docs/shared-files/_requirements_ports_rke.md diff --git a/docs/os/os.md b/docs/os/os.md index 3d30c74..f2e096a 100644 --- a/docs/os/os.md +++ b/docs/os/os.md @@ -290,8 +290,12 @@ For hardware recommendations for large Kubernetes clusters, refer to the officia For hardware recommendations for etcd clusters in production, refer to the official [etcd documentation](https://etcd.io/docs/v3.5/op-guide/hardware/). ## Ports -{{< ports-rke-nodes >}} -{{< requirements_ports_rke >}} +import PortsRKENodes from '../shared-files/_ports-rke-nodes.md'; +import RequirementsPortsRKE from '../shared-files/_requirements_ports_rke.md'; + + + + If you are using an external firewall, make sure you have this port opened between the machine you are using to run `rke` and the nodes that you are going to use in the cluster. diff --git a/docs/shared-files/_ports-rke-nodes.md b/docs/shared-files/_ports-rke-nodes.md new file mode 100644 index 0000000..4f7fc36 --- /dev/null +++ b/docs/shared-files/_ports-rke-nodes.md @@ -0,0 +1,9 @@ +**RKE node:** +Node that runs the `rke` commands + +### RKE node - Outbound rules + +| Protocol | Port | Source | Destination | Description | +| --- | --- | --- | --- | --- | +| TCP | 22 | RKE node | Any node configured in Cluster Configuration File | SSH provisioning of node by RKE | +| TCP | 6443 | RKE node | Control plane nodes | Kubernetes API server | diff --git a/docs/shared-files/_requirements_ports_rke.md b/docs/shared-files/_requirements_ports_rke.md new file mode 100644 index 0000000..f482726 --- /dev/null +++ b/docs/shared-files/_requirements_ports_rke.md @@ -0,0 +1,81 @@ +**etcd nodes:** Nodes with the role **etcd** + +### etcd nodes - Inbound rules + +| Protocol | Port | Source | Description | +| --- | --- | --- | --- | +| TCP | 2376 | Rancher nodes | Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) | +| TCP | 2379 |
  • etcd nodes
  • controlplane nodes
| etcd client requests | +| TCP | 2380 |
  • etcd nodes
  • controlplane nodes
| etcd peer communication | +| UDP | 8472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • etcd node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | +| TCP | 10250 |
  • Metrics server communications with all nodes
| kubelet | + +### etcd nodes - Outbound rules + +| Protocol | Port | Destination | Description | +| --- | --- | --- | --- | +| TCP | 443 |
  • Rancher nodes
| Rancher agent | +| TCP | 379|
  • etcd nodes
| etcd client requests | +| TCP | 2380 |
  • etcd nodes
| etcd peer communication | +| TCP | 6443 |
  • controlplane nodes
| Kubernetes apiserver | +| UDP | 8472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • etcd node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | + +**controlplane nodes:** Nodes with the role **controlplane** + +### controlplane nodes - Inbound rules + +| Protocol | Port | Source | Description | +| -------- | ---- | -------| ----------- | +| TCP | 80 |
  • Any that consumes Ingress services
| Ingress controller (HTTP) | +| TCP | 443 |
  • Any that consumes Ingress services
| Ingress controller (HTTPS) | +| TCP | 2376 |
  • Rancher nodes
| Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) | +| TCP | 6443 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Kubernetes apiserver | +| UDP | 472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • controlplane node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | +| TCP | 10250 |
  • Metrics server communications with all nodes
| kubelet | +| TCP | 10254 |
  • controlplane node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Ingress controller livenessProbe/readinessProbe | +| TCP/UDP | 30000-32767 |
  • Any source that consumes NodePort services
| NodePort port range | + +### controlplane nodes - Outbound rules + +| Protocol | Port | Destination | Description | +| -------- | ---- | ----------- | ----------- | +| TCP | 443 |
  • Rancher nodes
| Rancher agent | +| TCP | 2379 |
  • etcd nodes
| etcd client requests | +| TCP | 2380 |
  • etcd nodes
| etcd peer communication | +| UDP | 8472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • controlplane node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | +| TCP | 10250 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| kubelet | TCP | 10254 |
  • controlplane node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Ingress controller livenessProbe/readinessProbe | + +**Worker nodes:** Nodes with the role **worker** + +### Worker nodes - Inbound rules + +| Protocol | Port | Source | Description | +| -------- | ---- | ------ | ----------- | +| TCP | 22 |
  • **Linux worker nodes only**
  • Any network that you want to be able to remotely access this node from.
| Remote access over SSH | +| TCP | 3389 |
  • **Windows worker nodes only**
  • Any network that you want to be able to remotely access this node from.
| Remote access over RDP | +| TCP | 80 |
  • Any that consumes Ingress services
| Ingress controller (HTTP) | +| TCP | 443 |
  • Any that consumes Ingress services
| Ingress controller (HTTPS) | +| TCP | 2376 |
  • Rancher nodes
| Docker daemon TLS port used by Docker Machine only needed when using Node Driver/Templates) | +| UDP | 8472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • worker node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | +| TCP | 10250 |
  • Metrics server communications with all nodes
| kubelet | +| TCP | 10254 |
  • worker node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Ingress controller livenessProbe/readinessProbe | +| TCP/UDP | 30000-32767 |
  • Any source that consumes NodePort services
| NodePort port range | + +### Worker nodes - Outbound rules + +| Protocol | Port | Destination | Description | +| -------- | ---- | ----------- | ----------- | +| TCP | 443 |
  • Rancher nodes
| Rancher agent | +| TCP | 6443 |
  • controlplane nodes
| Kubernetes apiserver | +| UDP | 8472 |
  • etcd nodes
  • controlplane nodes
  • worker nodes
| Canal/Flannel VXLAN overlay networking | +| TCP | 9099 |
  • worker node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Canal/Flannel livenessProbe/readinessProbe | +| TCP | 10254 |
  • worker node itself ([local traffic](#information-on-local-node-traffic), not across nodes)
| Ingress controller livenessProbe/readinessProbe | + +### Information on local node traffic + +Kubernetes health checks (`livenessProbe` and `readinessProbe`) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e., `ptables`) policies on the node, or when you are using nodes that have multiple interfaces (multi-homed), this traffic gets blocked. In this case, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.