Puppet Class: role::toollabs::k8s::worker

Defined in:
modules/role/manifests/toollabs/k8s/worker.pp

Overview

filtertags: labs-project-tools



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'modules/role/manifests/toollabs/k8s/worker.pp', line 2

class role::toollabs::k8s::worker {

    include ::toollabs::base
    include ::toollabs::infrastructure
    include ::profile::base::firewall
    include ::toollabs::ferm_handlers

    $flannel_etcd_url = join(prefix(suffix(hiera('flannel::etcd_hosts'), ':2379'), 'https://'), ',')

    class { '::k8s::flannel':
        etcd_endpoints => $flannel_etcd_url,
    }

    $docker_version = '1.12.6-0~debian-jessie'

    class { '::profile::docker::storage':
        physical_volumes => '/dev/vda4',
        vg_to_remove     => 'vd',
    }

    class { '::profile::docker::engine':
        settings        => {
            'iptables'     => false,
            'ip-masq'      => false,
            'live-restore' => true,
        },
        version         => $docker_version,
        declare_service => false,
        require         => Class['::profile::docker::storage'],
    }

    class { '::profile::docker::flannel':
        docker_version => $docker_version,
        require        => Class['::profile::docker::engine'],
    }


    class { '::profile::kubernetes::node':
        use_cni        => false,
        infra_pod      => 'docker-registry.tools.wmflabs.org/pause:2.0',
        require        => Class[::profile::docker::flannel],
        prod_firewalls => false,
    }

    # Firewall!  Kubelet opens some scary ports to the outside world,
    #  so this class just closes those particular ports whilst leaving everything
    #  else in the hands of the OpenStack security groups.
    $master_hosts = hiera('k8s::master_hosts')
    $master_hosts_ferm = join($master_hosts, ' ')

    ferm::service { 'tools-kubelet-http':
        proto  => 'tcp',
        port   => '10250',
        srange => "@resolve((${master_hosts_ferm}))",
    }
    ferm::service { 'tools-kubelet-http-readonly-prometheus':
        proto  => 'tcp',
        port   => '10255',
        srange => "@resolve((${master_hosts_ferm}))",
    }

    ferm::service { 'flannel-vxlan':
        proto => udp,
        port  => 8472,
    }

    # We really only want to be this permissive for other tools hosts.
    #  Fortunately there's a nova-network security rule overlaying this
    #  one which limits this permissive policy to things within the tools
    #  project.
    #
    # Ideally this will get winnowed down as time passes, but for the
    #  moment I just really want to get the above things properly closed off
    ferm::rule {'rest-of-eqiad-region':
        rule => 'saddr 10.0.0.0/8 proto tcp dport (1:8472 8473:10249 10251:10254 10256:65535) ACCEPT;'
    }
    ferm::rule {'rest-of-eqiad1-region':
        rule => 'saddr 172.16.0.0/21 proto tcp dport (1:8472 8473:10249 10251:10254 10256:65535) ACCEPT;'
    }
}