diff --git a/config.tf b/config.tf index 3d14025ba71..aa98e9865bf 100644 --- a/config.tf +++ b/config.tf @@ -61,18 +61,18 @@ variable "tectonic_container_images" { awscli = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600" gcloudsdk = "google/cloud-sdk:178.0.0-alpine" bootkube = "quay.io/coreos/bootkube:v0.10.0" - tnc_operator = "quay.io/coreos/tectonic-node-controller-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" + tnc_operator = "quay.io/coreos/tectonic-node-controller-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" etcd_cert_signer = "quay.io/coreos/kube-etcd-signer-server:678cc8e6841e2121ebfdb6e2db568fce290b67d6" etcd = "quay.io/coreos/etcd:v3.2.14" hyperkube = "openshift/origin-node:latest" - kube_core_renderer = "quay.io/coreos/kube-core-renderer-dev:df42b97af403702013f4739fc82cd005cfd0c766" - kube_core_operator = "quay.io/coreos/kube-core-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" - tectonic_channel_operator = "quay.io/coreos/tectonic-channel-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" - kube_addon_operator = "quay.io/coreos/kube-addon-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" + kube_core_renderer = "quay.io/coreos/kube-core-renderer-dev:6705af4bcf26f899e347c88ffddc892a236648e4" + kube_core_operator = "quay.io/coreos/kube-core-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" + tectonic_channel_operator = "quay.io/coreos/tectonic-channel-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" + kube_addon_operator = "quay.io/coreos/kube-addon-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" tectonic_alm_operator = "quay.io/coreos/tectonic-alm-operator:v0.3.1" - tectonic_ingress_controller_operator = "quay.io/coreos/tectonic-ingress-controller-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" - tectonic_utility_operator = "quay.io/coreos/tectonic-utility-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" - tectonic_network_operator = "quay.io/coreos/tectonic-network-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766" + tectonic_ingress_controller_operator = "quay.io/coreos/tectonic-ingress-controller-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" + tectonic_utility_operator = "quay.io/coreos/tectonic-utility-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" + tectonic_network_operator = "quay.io/coreos/tectonic-network-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4" } } diff --git a/examples/tectonic.aws.yaml b/examples/tectonic.aws.yaml index 373bf986c07..918cb89aa31 100644 --- a/examples/tectonic.aws.yaml +++ b/examples/tectonic.aws.yaml @@ -259,7 +259,7 @@ networking: # - "calico-ipip": [ALPHA] enables BGP based networking. Routing and network policy is implemented by Calico. Note this has been tested on baremetal installations only. # # - "none": disables the installation of any Pod level networking layer provided by Tectonic. By setting this value, users are expected to deploy their own solution to enable network connectivity for Pods and Services. - # type: canal + # type: flannel nodePools: # The number of etcd nodes to be created. diff --git a/examples/tectonic.libvirt.yaml b/examples/tectonic.libvirt.yaml index eaaeaa87e3b..fbd741582bc 100644 --- a/examples/tectonic.libvirt.yaml +++ b/examples/tectonic.libvirt.yaml @@ -93,8 +93,7 @@ networking: # - "calico-ipip": [ALPHA] enables BGP based networking. Routing and network policy is implemented by Calico. Note this has been tested on baremetal installations only. # # - "none": disables the installation of any Pod level networking layer provided by Tectonic. By setting this value, users are expected to deploy their own solution to enable network connectivity for Pods and Services. - type: canal - mtu: 1480 + # type: flannel nodePools: # The number of etcd nodes to be created. diff --git a/installer/pkg/config/cluster.go b/installer/pkg/config/cluster.go index 590449a6797..f29fdc41ed3 100644 --- a/installer/pkg/config/cluster.go +++ b/installer/pkg/config/cluster.go @@ -69,7 +69,7 @@ var defaultCluster = Cluster{ MTU: "1480", PodCIDR: "10.2.0.0/16", ServiceCIDR: "10.3.0.0/16", - Type: tectonicnetwork.NetworkCanal, + Type: tectonicnetwork.NetworkFlannel, }, } diff --git a/modules/aws/vpc/sg-etcd.tf b/modules/aws/vpc/sg-etcd.tf index 58ccd6536cb..3b546050427 100644 --- a/modules/aws/vpc/sg-etcd.tf +++ b/modules/aws/vpc/sg-etcd.tf @@ -6,44 +6,104 @@ resource "aws_security_group" "etcd" { "kubernetes.io/cluster/${var.cluster_name}", "owned", "tectonicClusterID", "${var.cluster_id}" ), var.extra_tags)}" +} + +resource "aws_security_group_rule" "etcd_egress" { + type = "egress" + security_group_id = "${aws_security_group.etcd.id}" + + from_port = 0 + cidr_blocks = ["0.0.0.0/0"] + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "etcd_ingress_icmp" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 +} + +resource "aws_security_group_rule" "etcd_ingress_ssh" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + + protocol = "tcp" + from_port = 22 + to_port = 22 + self = true +} + +resource "aws_security_group_rule" "etcd_ingress_etcd" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + + protocol = "tcp" + from_port = 2379 + to_port = 2379 + self = true +} + +resource "aws_security_group_rule" "etcd_ingress_peer" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + + protocol = "tcp" + from_port = 2380 + to_port = 2380 + self = true +} + +resource "aws_security_group_rule" "etcd_ingress_flannel" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + + protocol = "udp" + from_port = 4789 + to_port = 4789 + self = true +} + +resource "aws_security_group_rule" "etcd_ingress_flannel_from_master" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + source_security_group_id = "${aws_security_group.master.id}" + + protocol = "udp" + from_port = 4789 + to_port = 4789 +} + +resource "aws_security_group_rule" "etcd_ingress_flannel_from_worker" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + source_security_group_id = "${aws_security_group.worker.id}" + + protocol = "udp" + from_port = 4789 + to_port = 4789 +} + +resource "aws_security_group_rule" "etcd_ingress_from_master" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + source_security_group_id = "${aws_security_group.master.id}" + + protocol = "tcp" + from_port = 0 + to_port = 65535 +} + +resource "aws_security_group_rule" "etcd_ingress_from_worker" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + source_security_group_id = "${aws_security_group.worker.id}" - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - self = true - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - protocol = "icmp" - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - to_port = 0 - } - - ingress { - protocol = "tcp" - from_port = 22 - to_port = 22 - self = true - - security_groups = ["${aws_security_group.master.id}"] - } - - ingress { - protocol = "tcp" - from_port = 2379 - to_port = 2379 - self = true - - security_groups = ["${aws_security_group.master.id}"] - } - - ingress { - protocol = "tcp" - from_port = 2380 - to_port = 2380 - self = true - } + protocol = "tcp" + from_port = 0 + to_port = 65535 } diff --git a/modules/aws/vpc/sg-master.tf b/modules/aws/vpc/sg-master.tf index f3f0ddb9fed..bae531f2843 100644 --- a/modules/aws/vpc/sg-master.tf +++ b/modules/aws/vpc/sg-master.tf @@ -98,6 +98,16 @@ resource "aws_security_group_rule" "master_ingress_flannel" { self = true } +resource "aws_security_group_rule" "master_ingress_flannel_from_etcd" { + type = "ingress" + security_group_id = "${aws_security_group.master.id}" + source_security_group_id = "${aws_security_group.etcd.id}" + + protocol = "udp" + from_port = 4789 + to_port = 4789 +} + resource "aws_security_group_rule" "master_ingress_flannel_from_worker" { type = "ingress" security_group_id = "${aws_security_group.master.id}" @@ -207,3 +217,13 @@ resource "aws_security_group_rule" "master_ingress_services_from_console" { from_port = 30000 to_port = 32767 } + +resource "aws_security_group_rule" "master_ingress_from_etcd" { + type = "ingress" + security_group_id = "${aws_security_group.master.id}" + source_security_group_id = "${aws_security_group.etcd.id}" + + protocol = "tcp" + from_port = 0 + to_port = 65535 +} diff --git a/modules/aws/vpc/sg-worker.tf b/modules/aws/vpc/sg-worker.tf index 32b5bb8d6cd..fcb6c0b9ce0 100644 --- a/modules/aws/vpc/sg-worker.tf +++ b/modules/aws/vpc/sg-worker.tf @@ -88,6 +88,16 @@ resource "aws_security_group_rule" "worker_ingress_flannel" { self = true } +resource "aws_security_group_rule" "worker_ingress_flannel_from_etcd" { + type = "ingress" + security_group_id = "${aws_security_group.worker.id}" + source_security_group_id = "${aws_security_group.etcd.id}" + + protocol = "udp" + from_port = 4789 + to_port = 4789 +} + resource "aws_security_group_rule" "worker_ingress_flannel_from_master" { type = "ingress" security_group_id = "${aws_security_group.worker.id}" @@ -177,3 +187,13 @@ resource "aws_security_group_rule" "worker_ingress_services_from_console" { from_port = 30000 to_port = 32767 } + +resource "aws_security_group_rule" "etcd_ingress_from_etcd" { + type = "ingress" + security_group_id = "${aws_security_group.etcd.id}" + source_security_group_id = "${aws_security_group.etcd.id}" + + protocol = "tcp" + from_port = 0 + to_port = 65535 +} diff --git a/modules/bootkube/resources/bootkube.sh b/modules/bootkube/resources/bootkube.sh index eaecb9b4ff2..6c718287613 100644 --- a/modules/bootkube/resources/bootkube.sh +++ b/modules/bootkube/resources/bootkube.sh @@ -5,8 +5,8 @@ echo "Rendering Kubernetes core manifests..." # shellcheck disable=SC2154 /usr/bin/docker run \ - --volume "$(pwd)":/assets \ - --volume /etc/kubernetes:/etc/kubernetes \ + --volume "$(pwd)":/assets:z \ + --volume /etc/kubernetes:/etc/kubernetes:z \ "${kube_core_renderer_image}" \ --config=/assets/kco-config.yaml \ --output=/assets @@ -16,7 +16,7 @@ echo "Rendering TNC manifests..." # shellcheck disable=SC2154 /usr/bin/docker run \ --user 0 \ - --volume "$(pwd)":/assets \ + --volume "$(pwd)":/assets:z \ "${tnc_operator_image}" \ --config=/assets/tnco-config.yaml \ --render-bootstrap=true \ @@ -37,7 +37,7 @@ echo "Starting etcd certificate signer..." # shellcheck disable=SC2154,SC2034 signer_id=$(/usr/bin/docker run -d \ --tmpfs /tmp \ - --volume /opt/tectonic/tls:/opt/tectonic/tls:ro \ + --volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \ --network host \ "${etcd_cert_signer_image}" \ serve \ @@ -61,7 +61,7 @@ while true; do --rm \ --name etcdctl \ --env ETCDCTL_API=3 \ - --volume /opt/tectonic/tls:/opt/tectonic/tls:ro \ + --volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \ "${etcdctl_image}" \ /usr/local/bin/etcdctl \ --dial-timeout=10m \ @@ -96,8 +96,8 @@ echo "Starting bootkube..." # shellcheck disable=SC2154 /usr/bin/docker run \ - --volume "$(pwd)":/assets \ - --volume /etc/kubernetes:/etc/kubernetes \ + --volume "$(pwd)":/assets:z \ + --volume /etc/kubernetes:/etc/kubernetes:z \ --network=host \ --entrypoint=/bootkube \ "${bootkube_image}" \