Discuss: work around SecurityRuleAddressesOrPortsPerSecurityGroupLimitReached when service floating ip disabled #5919
Comments
ArchangelSDY
added
the
kind/feature
|
I am thinking maybe we could set the backend node subnet CIDR as the default destination addresses by default, without requiring additional annotations or settings from the user. Need to double check if it’s feasible. |
Will we lose security if open up all subnet while most of the space may not be used? |
|
For local services, maybe we can only open nodes where there are endpoints running. |
Yes, unfortunately, we would. Had a thought that set CIDR iff nodes * services exceeds the limit; otherwise, set node IP list. Still not sure about the idea. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
I'd like to discuss potential solutions for issue #2725 .
The background is we have a large cluster with > 500 nodes and > 30 services. These services have floating ip disabled, so in a NSG rule all backend node IPs are listed as dest addresses. However, NSG has a limit that sum of IPs among all rules must not exceed 4000. In above cluster the value is
500 * 30 = 15000, exceeding the limit a lot.I don't think NSG has plan to increase such limit. So the only way in my mind is that maybe we can provide an annotation to let user explicitly specify NSG dest addresses(probably a CIDR list), instead of using all backend node IPs.
For example:
Then we create a NSG rule with
destinationAddressPrefixset to10.1.0.0/16,10.2.0.0/16. It would only count as 2 to the limit.Thoughts? I'm happy to submit a PR if you're ok with the change.
The text was updated successfully, but these errors were encountered: