[GitHub] [cloudstack] MejdiB opened a new issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

MejdiB opened a new issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128


   ##### ISSUE TYPE
    * Bug Report
    * Improvement
   
   ##### COMPONENT NAME
   ~~~
   API
   ~~~
   
   ##### CLOUDSTACK VERSION
   ~~~
   4.16.1
   ~~~
   
   ##### CONFIGURATION
   Cloudstack 4.16.1 Environment Advanced Zone with Security Groups. There is a shared default Network with a pool of IP addresses available for instances.
   
   ##### OS / ENVIRONMENT
   RHEL 8.4 is used for cloudstack management servers and hosts.
   
   ##### SUMMARY
   In ACS v4.15.x, we used CoreOS template for our KCS and it worked in our environment. The node instances were setup with the default Security Group of the account and the nodes were accessible from the Management Servers. With Cloudstack 4.16.0 and above, Kubernetes Cluster are set up with the new System VM template based on Debian. Setting up a Kubernetes Cluster with the new System VM template fails, because the Management Server have no access to the control node, but to others. I assume this is due to the missing Security Group property for the instance. 
   
   ##### STEPS TO REPRODUCE
   ~~~
   - ACS Environment Advanced Zone (maybe also Basic Zone) with Security Group option
   - Enable Kubernetes Service for the Zone
   - Default Shared Network with a set of IP addresses
   - Create a Kubernetes Cluster with 1.20 or above (in my case 1.23.3) would run into an error due to inability of the Management Server to access the control node 
   ~~~
   
   ##### EXPECTED RESULTS
   ~~~
   - A working Kubernetes Cluster v1.23.3 (or lower)
   - Manually adding or removing a Security Group to an instance would help me out, but I have found no feature on the UI..
   ~~~
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] MejdiB commented on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

MejdiB commented on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070512337


   @Pearl1594 Which KCS Version did you used? I have a KCS 1.16 on the Cloud with the CoreOS KVM Template. All Nodes were created by Cloudstack with Security Group "default". We did this several times with KCS v1.16, no errors.. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Pearl1594 commented on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

Pearl1594 commented on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070378052


   You're right @MejdiB , on an Advanced zone with security groups, it doesn't work by default. But as a work-around,I was able to get the cluster up and running by doing the following:
   1. Stop the CKS nodes
   2. Create necessary security groups allowing the ports (22 , 6443)
   3. Use the updateVirtualMachine API (via cmk as it's not supported via UI) to associate the security group(s) to the VMs
   4. Start the VMs
   5. SSH into the VMs (ssh -i <ssh-key> cloud@<public_ip_of_the_node>) and start the setup-kube-system & deploy-kube-system services.
   
    


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Pearl1594 commented on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

Pearl1594 commented on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070502089


   @MejdiB I tried deploying a CKS cluster on a 4.15.2 env with Advanced Zone with security groups and observed the same behavior as on 4.16. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Pearl1594 commented on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

Pearl1594 commented on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070517719


   @MejdiB I tried it with kubernetes version 1.16.3 on a 4.15.2 env. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] MejdiB edited a comment on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

MejdiB edited a comment on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070512337


   @Pearl1594 Which KCS Version did you used? I have a KCS 1.16 on the Cloud with the CoreOS KVM Template. All Nodes were created by Cloudstack with Security Group "default". We did this several times on ACS 4.15.2 with KCS v1.16, no errors.. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] MejdiB commented on issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

MejdiB commented on issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128#issuecomment-1070514882


   @Pearl1594 As a feature idea, users might select a Security Group (allowing ports 22 and 6443) via the KCS creation view


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] nvazquez closed issue #6128: Kubernetes Cluster with the new SystemVM template is not working in a Security Groups environment

[GitBox <gi...@apache.org>]

nvazquez closed issue #6128:
URL: https://github.com/apache/cloudstack/issues/6128


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org