Advanced cluster configuration

Metakube will by default create all resources in SysEleven Stack it needs for a cluster.
You may want to manage them yourself, if you have special requirements.

Metakube may not prevent you from misconfiguring the network.
If you're unsure of what you need, please contact our support.

Security Groups

The Security Group created by default will allow the following traffic to/from your nodes:

  • Any UCP, TCP egress
  • Any UDP, TCP ingress between your nodes
  • Any TCP ingress to port 22 for SSH (Nodes without floating IPs are still not internet routable and ssh password authentication is disabled)
  • Any TCP ingress from the node subnet on high ports 30000 to 32767
    • This allows Octavia Load Balancers managed by Kubernetes to forward traffic to the nodes on the high ports used by NodePort (and LoadBalancer) type services.

We don't recommend modifying the Security Group created by Metakube (metakube-<cluster-id>), since it's managed by Metakube and might receive automatic changes.

Openstack has a Security Group called default. This Security Group allows egress and traffic between members of the Security Group.
It's not suitable for Metakube clusters, since Octavia Load Balancers managed by Kubernetes won't work.

Please do not alter the rules in that Security Group!


You may want to use an existing Openstack network if you want more control over settings such as router configuration, or if you want to deploy other services next to your Metakube cluster in the same network.
The network needs at least one subnet that's used as the node network.
If it has multiple subnets, the one created first (the oldest) will be used.

IPv6 subnets (or dual stack setups), as they're now available in the FES region, are currently not supported.

Subnet CIDR

This option is unavailable if you choose your own network.

By default, the nodes will be deployed in a subnet in the IP range.
That may collide with other networks you control that need to be routable without NAT.
Or you may require a bigger IP space for more worker nodes.
You can change the IP range for the node subnet to a CIDR of your choice.