I have host with two network interfaces: 192.168.0.2 (nat), 192.168.1.2 (only local network). And I have public IP (220.127.116.11 for example) assigned to 192.168.0.2.
I want to make k8s setup secure and use only local network in order for it. But in the same time I want to make my services (that will be deployed inside k8s) accessible from Internet.
I am trying run Rancher Server in following way:
sudo docker run -d --restart=unless-stopped -p 192.168.1.2:80:80 -p 192.168.1.2:443:443 rancher/server:preview.
And run agent with following command on the same host:
sudo docker run -d --privileged --restart=unless-stopped --net=host -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/agent:v2.0.0-beta3 --server https://192.168.1.2 --token ... --ca-checksum ... --etcd --controlplane --worker.
But in this case Ingress controller (deployed by agent) fails to start, because 80 port already in use by Rancher Server.
As workaround I use following command to start Rancher Server:
sudo docker run -d --restart=unless-stopped -p 192.168.1.2:8080:80 -p 192.168.1.2:8443:443 rancher/server:preview. In this case, Ingress controller can start on 80 port, because Rancher Server uses 8080.
- Maybe it is okay to make Rancher Server accessible from Internet and there is no need to use local network interface at all?
- Is Ingress controller a part of worker or controlplane?
- Can Ingress controller work on same host where Rancher Server deployed?
- Can I point to use 192.168.0.2:80 for Ingress controller? Currently, it uses 0.0.0.0:80.
- Is there ability to point Rancher Agent to use local interface (192.168.1.2) for communication between etcd instances, between kubelet and kube-api, etc?
- It is okay that I haven’t firewall in front of cluster? Do I need to deny access to 6443 port (kube-api), etcd server port and other? Or it’s okay to make this things accessible from internet? As far as I understood all of this ports requires certs to use them.