Re: OpensShift SDN

On 01/14/2016 05:54 PM, Srinivas Naga Kotaru (skotaru) wrote:
> Dan 
> One question
> Masters also using same port for VXLAN communication with nodes
> right? If we block the port from internal and external subnets
> but if we put masters in internal network, they won’t be abel to
> talk to external nodes or vise verse right?

The VXLAN is only used for communication with *pods*. So in that
situation, the master wouldn't directly be able to reach pods on
external nodes, but that may or may not be a problem. (There is some
reason that we make the master also be a node by default, which has
something to do with some tool which wants to have access to the pods,
but I don't remember what that is.)

Master<->Node communication (eg, to launch new pods, etc) happens by the
nodes connecting to port 8443 on the master, so wherever the master is,
both kinds of nodes need to be able to reach that port.

> One solution could be put masters in another subnet and control
> access between master, internal and external subnets. Any other
> better approach without doing this?

Sure. Or just have some firewall holes specific to the master.

-- Dan

