Ports for connecting User Cluster Nodes to the Seed Control Plane

On the nodes of my user cluster in OpenStack, several pods don’t come up and are constantly failing. It looks like they cannot connect to components of the control plane in the seed cluster so I think it is likely that several ports need to be opened on the seed cluster to allow traffic to reach the control plane. It would be great to have a list of ports that need to reachable for the seed cluster :slightly_smiling_face:

I know this one: https://docs.kubermatic.com/kubermatic/v2.14/requirements/cluster_requirements/ however, it feels to me like that there is something missing that blocks communication between user nodes and the user clusters control plane in the seed. If the list is complete I will spend some time in debugging the network :slightly_smiling_face:

You need to ssh / console access to the provisioned machines and check if they can reach the seed cluster endpoint for the API server.

at seed kubectl get svc -A | grep nodeport

nodeport-proxy nodeport-lb LoadBalancer 31806:32701/TCP,32387:30138/TCP,30353:31951/TCP,30534:30583/TCP,31000:30724/TCP,31398:30303/TCP,31049:31659/TCP,30694:32497/TCP,30841:31110/TCP,32722:31311/TCP,30173:31386/TCP,30824:31421/TCP,31932:31658/TCP,30523:31817/TCP,30033:31964/TCP,31434:32473/TCP,32053:32100/TCP,30333:30319/TCP,31542:30582/TCP,30673:32355/TCP,32685:31460/TCP,31305:30083/TCP,31874:30760/TCP,30510:30695/TCP,31699:30268/TCP,30131:31490/TCP,8002:31071/TCP 9h

This is the default IP that needs to be reachable. We expose for every new cluster a random port in the configured nodePortRange of the seed. This by default 30000 - 32767, see http://www.thinkcode.se/blog/2019/02/20/kubernetes-service-node-port-range. This needs to be reachable.

To save LoadBalancers in cloud environments, we implemented this nodeport proxy, because it lets you manage a lot of cluster with only one external facing LoadBalancer and IP.

There is also the option to create one LB by cluster, see https://docs.kubermatic.com/kubermatic/master/concepts/expose-strategy/expose_strategy/

In the “chart-based” installation the nodeport range is also configurable: https://github.com/kubermatic/kubermatic/blob/master/charts/kubermatic/values.yaml#L100

I’m not sure if this can be also done by the operator based installer - @xrstf do you know?