Fix k8s API server access on Nested deployment
The current LBaaS is not reachable at port 443 and the k8s API server is not reachable at port 6443 by the VIP of the LBaaS. This commit fixes the issue by creating a security group rule to allow tcp traffic to reach the LBaaS and adding a security group allowing tcp traffic from the service subnet to the port used by the overcloud VM. Change-Id: I7ec087ad86f4491ed1678cdba13e3c19edb1568c Closes-Bug: #1792488
This commit is contained in:
parent
a85a02744e
commit
593e5a06b3
|
@ -797,6 +797,21 @@ function create_ingress_l7_router {
|
|||
fi
|
||||
}
|
||||
|
||||
function configure_overcloud_vm_k8s_svc_sg {
|
||||
local project_id
|
||||
local security_group
|
||||
|
||||
project_id=$(get_or_create_project \
|
||||
"$KURYR_NEUTRON_DEFAULT_PROJECT" default)
|
||||
security_group=$(openstack security group list \
|
||||
--project "$project_id" -c ID -c Name -f value | \
|
||||
awk '{if ($2=="default") print $1}')
|
||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||
security group rule create --project "$project_id" \
|
||||
--dst-port "$KURYR_K8S_API_LB_PORT" "$security_group"
|
||||
openstack port set "$KURYR_OVERCLOUD_VM_PORT" --security-group service_pod_access
|
||||
}
|
||||
|
||||
source $DEST/kuryr-kubernetes/devstack/lib/kuryr_kubernetes
|
||||
|
||||
# main loop
|
||||
|
@ -898,6 +913,8 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
|||
KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=$(trueorfalse True KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE)
|
||||
if [[ "$KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE" == "True" ]]; then
|
||||
ovs_bind_for_kubelet "$KURYR_NEUTRON_DEFAULT_PROJECT" 6443
|
||||
else
|
||||
configure_overcloud_vm_k8s_svc_sg
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -109,3 +109,6 @@ KURYR_L7_ROUTER_NAME=${KURYR_L7_ROUTER_NAME:-kuryr-l7-router}
|
|||
|
||||
# Whether to use Python3
|
||||
KURYR_CONTAINERS_USE_PY3=${KURYR_CONTAINERS_USE_PY3:-False}
|
||||
|
||||
# Kuryr overcloud VM port's name
|
||||
KURYR_OVERCLOUD_VM_PORT=${KURYR_OVERCLOUD_VM_PORT:-port0}
|
||||
|
|
Loading…
Reference in New Issue