Fix k8s API server access on Nested deployment

The current LBaaS is not reachable at port 443 and the k8s API server
is not reachable at port 6443 by the VIP of the LBaaS.

This commit fixes the issue by creating a security group rule to allow
tcp traffic to reach the LBaaS and adding a security group allowing
tcp traffic from the service subnet to the port used by the overcloud VM.

Change-Id: I7ec087ad86f4491ed1678cdba13e3c19edb1568c
Closes-Bug: #1792488
This commit is contained in:
maysa macedo 2018-10-11 23:21:32 -03:00
parent a85a02744e
commit 593e5a06b3
2 changed files with 20 additions and 0 deletions

View File

@ -797,6 +797,21 @@ function create_ingress_l7_router {
fi
}
function configure_overcloud_vm_k8s_svc_sg {
local project_id
local security_group
project_id=$(get_or_create_project \
"$KURYR_NEUTRON_DEFAULT_PROJECT" default)
security_group=$(openstack security group list \
--project "$project_id" -c ID -c Name -f value | \
awk '{if ($2=="default") print $1}')
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
security group rule create --project "$project_id" \
--dst-port "$KURYR_K8S_API_LB_PORT" "$security_group"
openstack port set "$KURYR_OVERCLOUD_VM_PORT" --security-group service_pod_access
}
source $DEST/kuryr-kubernetes/devstack/lib/kuryr_kubernetes
# main loop
@ -898,6 +913,8 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=$(trueorfalse True KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE)
if [[ "$KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE" == "True" ]]; then
ovs_bind_for_kubelet "$KURYR_NEUTRON_DEFAULT_PROJECT" 6443
else
configure_overcloud_vm_k8s_svc_sg
fi
fi

View File

@ -109,3 +109,6 @@ KURYR_L7_ROUTER_NAME=${KURYR_L7_ROUTER_NAME:-kuryr-l7-router}
# Whether to use Python3
KURYR_CONTAINERS_USE_PY3=${KURYR_CONTAINERS_USE_PY3:-False}
# Kuryr overcloud VM port's name
KURYR_OVERCLOUD_VM_PORT=${KURYR_OVERCLOUD_VM_PORT:-port0}