From 028e3ceb490673a52a3232324c25ded20800c584 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 13:54:17 -0700 Subject: [PATCH 1/4] Update installation-requirements networking section - Addresses comment around node-requirements page (now installation-requirements) in issue https://github.com/rancher/k3s/issues/1031 - Accompslishes this by adding a table to list ports, we actually took from /rancher/v2.x/en/installation/requirements/ports networking section so both guides are in alignment --- .../installation-requirements/_index.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 13da6c3d7ce..44e9bf5008f 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -37,12 +37,24 @@ K3s performance depends on the performance of the database. To ensure optimal sp ## Networking -The K3s server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach other nodes over UDP port 8472 (Flannel VXLAN). If you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. +The K3s server needs port 6443 to be accessible by the nodes. -IMPORTANT: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disabled access to port 8472. +The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s. If you wish to utilize the metrics server, you will need to open port 10250 on each node. +> **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. + +
Inbound Rules for Rancher Server Nodes
+ +| Protocol | Port | Source | Description +|-----|-----|----------------|---| +| TCP | 6443 | K3s server nodes | Kubernetes API +| UDP | 8472 | K3s server and agent nodes | Required only for Flannel VXLAN +| TCP | 10250 | K3s server and agent nodes | kubelet + +Typically all outbound traffic is allowed. + ## Large Clusters Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: From 2d431d73c9c2aa6d1fb3d0b33c7ce66e33cd89ff Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 14:06:41 -0700 Subject: [PATCH 2/4] Address symlink issue on installation-requirements page - Resolves symlink issue in single-server section of https://github.com/rancher/k3s/issues/1031 - The INSTALL_K3S_SYMLINK env var now has a description that explains what binaries symlinks are created for --- content/k3s/latest/en/installation/install-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index e2bc4a2dbb2..d8c415cb96c 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -29,7 +29,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_SYMLINK` - If set to 'skip' will not create symlinks, 'force' will overwrite, default will symlink if command does not exist in path. + By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. - `INSTALL_K3S_SKIP_START` From 88079937e5b75b7def5eb81e88f22d5d31106ea9 Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Tue, 31 Mar 2020 15:32:03 -0700 Subject: [PATCH 3/4] Tweaks to install-options page - Addresses additional issues outlined in https://github.com/rancher/k3s/issues/1031 single-server section --- content/k3s/latest/en/installation/install-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index d8c415cb96c..70b164b38aa 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -66,7 +66,7 @@ When using this method to install K3s, the following environment variables can b - `INSTALL_K3S_NAME` - Name of systemd service to create, will default from the K3s exec command if not specified. If specified the name will be prefixed with 'k3s-'. + Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. - `INSTALL_K3S_TYPE` From a02c1d240f3bc4fbd40a5ab2a1348e99ee605dc7 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 1 Apr 2020 13:14:10 -0700 Subject: [PATCH 4/4] Remove reference to Rancher in K3s doc --- .../latest/en/installation/installation-requirements/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/installation/installation-requirements/_index.md b/content/k3s/latest/en/installation/installation-requirements/_index.md index 44e9bf5008f..ee053e09e0c 100644 --- a/content/k3s/latest/en/installation/installation-requirements/_index.md +++ b/content/k3s/latest/en/installation/installation-requirements/_index.md @@ -45,7 +45,7 @@ If you wish to utilize the metrics server, you will need to open port 10250 on e > **Important:** The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. -
Inbound Rules for Rancher Server Nodes
+
Inbound Rules for K3s Server Nodes
| Protocol | Port | Source | Description |-----|-----|----------------|---|