busy-pizza-73563
04/25/2019, 12:59 PMwhite-balloon-205
443
as well, which @pulumi/eks
does not currently enable. Does the service you are interested in really only work over port 80
, or could it be exposed on port 443
if we fixed this to match the EKS recommended ingress/egress?
I am not sure of the underlying reason for constraining access to other lower port numbers from/to the control plane. cc @breezy-hamburger-69619 in case he has thoughts on this?busy-pizza-73563
04/25/2019, 1:54 PMkubectl proxy
to services with ports lower than 1025... 🤷breezy-hamburger-69619
04/25/2019, 5:06 PMnodeSecurityGroup
and eksClusterIngressRule
into the `NodeGroup`: https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/nodegroup.ts#L239busy-pizza-73563
04/25/2019, 6:48 PMTo take a step back though, the control plane subnet and the worker subnet should only be used for k8s cluster communicationsAs I said above,
kubectl proxy
(and the k8s proxy API subsystem, in general) needs for connections from the control plane to a pod to be allowed. Just for the argument's sake, I really don't see why you won't allow proxying to ports lower than 1025.creamy-potato-29402
04/25/2019, 8:11 PMwhite-balloon-205
Especially if it is as simple as supplying your own security group.Even better, in the release coming out today, it is possible to just add an additional ingress rule to the existing security group to allow this specific access pattern.
creamy-potato-29402
04/25/2019, 8:14 PMbusy-pizza-73563
04/25/2019, 8:15 PMcreamy-potato-29402
04/25/2019, 8:15 PMbreezy-hamburger-69619
04/25/2019, 8:16 PMcreamy-potato-29402
04/25/2019, 8:16 PMbusy-pizza-73563
04/25/2019, 8:17 PMcreamy-potato-29402
04/25/2019, 8:19 PMwhite-balloon-205
creamy-potato-29402
04/25/2019, 8:19 PMbreezy-hamburger-69619
04/25/2019, 8:22 PMnodeSecurityGroup
available to you so you can create separate seccgroup rules to open what you need using its idbusy-pizza-73563
04/25/2019, 8:24 PM<https://rancher.url/k8s/clusters/c-12345/api/v1/namespaces/cattle-prometheus/services/http:access-grafana:80/proxy/>
, which in turn proxies to <https://k8s.url:port/api/v1/namespaces/cattle-prometheus/services/http:access-grafana:80/proxy/>
.access-grafana
service is pointing to :80
inside the corresponding pod(s).creamy-potato-29402
04/25/2019, 8:25 PMbusy-pizza-73563
04/25/2019, 8:26 PMcreamy-potato-29402
04/25/2019, 8:27 PMbusy-pizza-73563
04/25/2019, 8:27 PMIP:80
.creamy-potato-29402
04/25/2019, 8:29 PMbusy-pizza-73563
04/25/2019, 8:32 PM${name}-nodeSecurityGroup
, see https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/securitygroup.ts#L57 .I’m super confused.I was the same during that 1/2h looking for the issue. 🙂
creamy-potato-29402
04/25/2019, 8:34 PMbusy-pizza-73563
04/25/2019, 8:35 PMIP:1025-65536
.IP:80
.creamy-potato-29402
04/25/2019, 8:36 PMbusy-pizza-73563
04/25/2019, 8:37 PMcreamy-potato-29402
04/25/2019, 8:38 PMbusy-pizza-73563
04/25/2019, 8:38 PMaccess-grafana:80
has endpoint grafanaPodIP:80
, when proxying to the svc the API will try to connect to the pod.creamy-potato-29402
04/25/2019, 8:38 PMbusy-pizza-73563
04/25/2019, 8:39 PMbreezy-hamburger-69619
04/25/2019, 8:39 PMcreamy-potato-29402
04/25/2019, 8:40 PMbusy-pizza-73563
04/25/2019, 8:40 PMbreezy-hamburger-69619
04/25/2019, 8:41 PMcreamy-potato-29402
04/25/2019, 8:41 PMbusy-pizza-73563
04/25/2019, 8:42 PM/api/v1/.../services/http:access-grafana:80/proxy/
I got
Error: 'dial tcp a.b.c.d:80: connect: connection timed out'
Trying to reach: '<http://a.b.c.d:80/>'
where a.b.c.d
is the grafana pod IP.kubeadm
bare metal clusters.breezy-hamburger-69619
04/25/2019, 8:44 PMcreamy-potato-29402
04/25/2019, 8:45 PMbusy-pizza-73563
04/25/2019, 8:45 PMbreezy-hamburger-69619
04/25/2019, 8:46 PMbusy-pizza-73563
04/25/2019, 8:47 PMcreamy-potato-29402
04/25/2019, 8:47 PMbusy-pizza-73563
04/25/2019, 8:48 PMcreamy-potato-29402
04/25/2019, 8:49 PMbusy-pizza-73563
04/25/2019, 8:49 PM*Note*
To allow proxy functionality on privileged ports or to run the CNCF conformance tests yourself, you must edit the security groups for your control plane and the worker nodes. The security group on the worker nodes' side needs to allow inbound access for ports 0-65535 from the control plane, and the control plane side needs to allow outbound access to the worker nodes on ports 0-65535.
creamy-potato-29402
04/25/2019, 8:53 PMbusy-pizza-73563
04/25/2019, 8:55 PMbreezy-hamburger-69619
04/25/2019, 8:59 PMnodeSecurityGroup
for the NodePool
that you can configure yourself entirely
2. get the id of the nodeSecurityGroup
to build new secgroup rules, but this will be a step that occurs post-secgroup and cluster creation
3. Take a stab at https://github.com/pulumi/pulumi-eks/issues/97 and we can review and guide you through it if needed. Given that the secgroups and secgroup rules are now separated [1] this should be a bit more straight-forward to implement.
--
1 - https://github.com/pulumi/pulumi-eks/pull/109creamy-potato-29402
04/25/2019, 9:04 PMbusy-pizza-73563
04/25/2019, 9:04 PMbreezy-hamburger-69619
04/25/2019, 9:05 PMbusy-pizza-73563
04/25/2019, 9:05 PM