Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 0300077941db0edfdcac0ae42e4a5dad3e8d3fd7^! / . / metropolis / node / kubernetes / apiserver.go
commit0300077941db0edfdcac0ae42e4a5dad3e8d3fd7[log] [tgz]
authorTim Windelschmidt <tim@monogon.tech>Mon Jul 03 02:19:28 2023 +0200
committerTim Windelschmidt <tim@monogon.tech>Tue Jul 04 18:58:49 2023 +0000
tree979cfc5f4269d3428b725acd79b9a216db8a6f82
parenta2ee88d585b9b8603f47544c95f09b380b92b5e2 [diff] [blame]
metropolis/node: allow all ports as NodePorts except special ones

As we dont have hostPort implemented we can only  provide NodePorts to
applications. To allow apps to use all ports we have to increase the range
but have to prevent them from using reserved metropolis ones. This is
currently prevented by patching the allocator and hardcode all of them.

Change-Id: I7c0e8b17643d1ec03e1a1b678bc6276881b1c5e5
Reviewed-on: https://review.monogon.dev/c/monogon/+/1884
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/node/kubernetes/apiserver.go b/metropolis/node/kubernetes/apiserver.go
index aeaa80e..9c4132d 100644
--- a/metropolis/node/kubernetes/apiserver.go
+++ b/metropolis/node/kubernetes/apiserver.go

@@ -120,6 +120,8 @@
 			pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
 		"--service-account-issuer", "https://metropolis.internal", // TODO: Figure out federation
 		fmt.Sprintf("--service-cluster-ip-range=%v", s.ServiceIPRange.String()),
+		// We use a patch for the allocator that prevents usage of system ports.
+		fmt.Sprintf("--service-node-port-range=1-65535"),
 		args.FileOpt("--tls-cert-file", "server-cert.pem",
 			pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.serverCert})),
 		args.FileOpt("--tls-private-key-file", "server-key.pem",