The k8s-master unit/machine is covered by 3 security groups. Juju model, unit/machine, and lb members' one.
$ openstack server show juju-f8a3c5-k8s-on-openstack-0 -c security_groups
+-----------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| security_groups | name='openstack-integrator-f4720ef8a3c5-kubernetes-master-members' |
| | name='juju-6fda9e38-0c87-4a13-88f7-563386e719a9-fad73522-1466-41c0-8570-f4720ef8a3c5-0' |
| | name='juju-6fda9e38-0c87-4a13-88f7-563386e719a9-fad73522-1466-41c0-8570-f4720ef8a3c5' |
+-----------------+-----------------------------------------------------------------------------------------+
The model one is to allow all traffic inside the same model which is not applicable to Amphora instance <-> k8s-master since Amphora is outside of Juju model's security group.
Then, lb members' rule allows traffic to 6443 only from /32 which is LB's vip_address.
$ openstack security group rule list openstack-integrator-f4720ef8a3c5-kubernetes-master-members
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+
| 1b5a9b4a-c9f5-4730-a6ee-b53ed672d3aa | None | IPv6 | ::/0 | | egress | None | None |
| 7e7cf826-6732-4f26-89b0-0c27f4b2788e | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| ea4e048d-a164-431c-b44f-96076a41c859 | tcp | IPv4 | 10.5.5.116/32 | 6443:6443 | ingress | None | None |
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+
I couldn't reproduce it in the first place, but I think I know what's happening here.
tl;dr `juju expose kubernetes-master` may be the easiest workaround but it will expose the port 8443 to everywhere.
It would be nice to tweak the LB members' rule to make it work out of the box though.
(there is a discussion about the expose feature but it's separate anyway: https:/ /discourse. charmhub. io/t/granular- control- of-application- expose- parameters- in-the- upcoming- 2-9-juju- release/ 3597)
The k8s-master unit/machine is covered by 3 security groups. Juju model, unit/machine, and lb members' one.
$ openstack server show juju-f8a3c5- k8s-on- openstack- 0 -c security_groups ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ -integrator- f4720ef8a3c5- kubernetes- master- members' | 6fda9e38- 0c87-4a13- 88f7-563386e719 a9-fad73522- 1466-41c0- 8570-f4720ef8a3 c5-0' | 6fda9e38- 0c87-4a13- 88f7-563386e719 a9-fad73522- 1466-41c0- 8570-f4720ef8a3 c5' | ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+
+------
| Field | Value |
+------
| security_groups | name='openstack
| | name='juju-
| | name='juju-
+------
The model one is to allow all traffic inside the same model which is not applicable to Amphora instance <-> k8s-master since Amphora is outside of Juju model's security group.
Then, lb members' rule allows traffic to 6443 only from /32 which is LB's vip_address.
$ openstack security group rule list openstack- integrator- f4720ef8a3c5- kubernetes- master- members ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- ----+-- ------- ---+--- ------- -+----- ------- ------- ----+-- ------- ------- ------+ ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- ----+-- ------- ---+--- ------- -+----- ------- ------- ----+-- ------- ------- ------+ c9f5-4730- a6ee-b53ed672d3 aa | None | IPv6 | ::/0 | | egress | None | None | 6732-4f26- 89b0-0c27f4b278 8e | None | IPv4 | 0.0.0.0/0 | | egress | None | None | a164-431c- b44f-96076a41c8 59 | tcp | IPv4 | 10.5.5.116/32 | 6443:6443 | ingress | None | None | ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- ----+-- ------- ---+--- ------- -+----- ------- ------- ----+-- ------- ------- ------+
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 1b5a9b4a-
| 7e7cf826-
| ea4e048d-
+------
But the unit/machine one can allow access to 6443 from anywhere when the application is expose=true in Juju model. And it's enabled by default in charmstore bundles: https:/ /github. com/charmed- kubernetes/ bundle/ blob/045be1ee3c f544f67298fd220 50cfbca98337bd4 /fragments/ k8s/core/ bundle. yaml#L6- L13
$ openstack security group rule list juju-6fda9e38- 0c87-4a13- 88f7-563386e719 a9-fad73522- 1466-41c0- 8570-f4720ef8a3 c5-0 ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- +------ ------+ ------- ----+-- ------- ------- ------- +------ ------- ------- --+ ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- +------ ------+ ------- ----+-- ------- ------- ------- +------ ------- ------- --+ ceba-40e6- a812-fda6c6552d 11 | tcp | IPv4 | 0.0.0.0/0 | 6443:6443 | ingress | None | None | 015a-4f84- b46a-068a68cddf bc | None | IPv6 | ::/0 | | egress | None | None | 8a8a-44d2- a47f-468cbd538c ad | tcp | IPv6 | ::/0 | 6443:6443 | ingress | None | None | 09a5-48ac- 9437-55a5fab56a 26 | None | IPv4 | 0.0.0.0/0 | | egress | None | None | ------- ------- ------- ------- ----+-- ------- ----+-- ------- --+---- ------- +------ ------+ ------- ----+-- ------- ------- ------- +------ ------- ------- --+
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 3a9bd197-
| 893a858f-
| 8de817bb-
| 99d3eb2a-
+------