Advanced cluster configuration

Metakube will by default create all resources in SysEleven Stack it needs for a cluster.
You may want to manage them yourself, if you have special requirements.

Metakube may not prevent you from misconfiguring the network.
If you're unsure of what you need, please contact our support.

OpenStack Security Groups

The Security Group created by default will allow the following traffic to/from your nodes:

  • Any UCP, TCP egress
  • Any UDP, TCP ingress between your nodes
  • Any TCP ingress to port 22 for SSH (Nodes without floating IPs are still not internet routable and ssh password authentication is disabled)
  • Any TCP ingress from the node subnet on high ports 30000 to 32767
    • This allows Octavia Load Balancers managed by Kubernetes to forward traffic to the nodes on the high ports used by NodePort (and LoadBalancer) type services.

Do not modify the Security Group created by MetaKube (metakube-<cluster-id>).
It is managed by SysEleven and might receive automatic changes.

Openstack has a Security Group called default. This Security Group allows egress and traffic between members of the Security Group.
It's not suitable for MetaKube clusters, since Octavia Load Balancers managed by Kubernetes won't work.

Please do not alter the rules in that Security Group!

OpenStack Network ID

You may want to use an existing OpenStack network if you want more control over settings such as router configuration.

MetaKube currently does not support IPv6 or mixed networks.

OpenStack Subnet ID

This option is mutually exclusive with specifying a subnet CIDR.

This option is only available in the MetaKube Terraform Provider.

You may specify an existing OpenStack subnet for your nodes.

Only consider this option if you require more IPs for Kubernetes nodes or if the IP range collides with another network e.g. that's connected through VPN.

Having multiple subnets in the OpenStack network leads to unexpected behavior.
See details below.

Subnet CIDR

This option is mutually exclusive with specifying an existing subnet.

If specified, MetaKube will create a subnet with the given CIDR.

By default, the nodes will be deployed in a subnet with the IP range.
That may collide with other networks you control that need to be routable without NAT.
Or you may require a bigger IP space for more worker nodes.
You can change the IP range for the node subnet to a CIDR of your choice.

Having multiple subnets in the OpenStack network leads to unexpected behavior.
See details below.

Caveat: Multiple subnets

The choice of the subnet in which ports will be allocated is not deterministic, if the network contains multiple subnets.

This is a limitation of the OpenStack API that currently doesn't support specifying a certain subnet for an instance.

As a potential workaround, one can create two networks connected with a router.
Use one network for a MetaKube cluster and the other for other VMs.