On Fri, Jan 15, 2016 at 9:35 AM, Dan Winship <[email protected]> wrote: > On 01/14/2016 05:54 PM, Srinivas Naga Kotaru (skotaru) wrote: >> Dan >> >> One question >> >> Masters also using same port for VXLAN communication with nodes >> right? If we block the port from internal and external subnets >> but if we put masters in internal network, they won’t be abel to >> talk to external nodes or vise verse right? > > The VXLAN is only used for communication with *pods*. So in that > situation, the master wouldn't directly be able to reach pods on > external nodes, but that may or may not be a problem. (There is some > reason that we make the master also be a node by default, which has > something to do with some tool which wants to have access to the pods, > but I don't remember what that is.)
If the Master's can't reach Pods then the Web Console integration with java Pods (via jolokia) won't work. > > Master<->Node communication (eg, to launch new pods, etc) happens by the > nodes connecting to port 8443 on the master, so wherever the master is, > both kinds of nodes need to be able to reach that port. > >> One solution could be put masters in another subnet and control >> access between master, internal and external subnets. Any other >> better approach without doing this? > > Sure. Or just have some firewall holes specific to the master. > > -- Dan > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
