Describes the network options for a cluster.
| Property | Description | | acme.certificateDuration | string: Optionally specifies the maximum lifespan for internal cluster TLS certificates as a GOLANG formatted string.
This defaults to 2160h0m0s (90 days).
|
| acme.certificateRenewBefore | string: Optionally specifies the time to wait before attempting to renew internal cluster TLS certificates.
This must be less than acme.certificateDuration and defaults to 720h0m0s (24 days).
|
| acme.issuer | string: Optionally specifies the certificate issuer, including any configuration required by the issuer.
This defaults to null which enables the standard NeonKUBE certificate issuer.
|
| egressAddressRules | array: Optionally specifies whitelisted and/or blacklisted external addresses
for outbound traffic. This defaults to allowing outbound traffic to anywhere
when the property is null or empty. See Address Rules
below for more information.
NOTE: Address rules are processed in order from first to last, so you may
consider putting your blacklist rules before your whitelist rules. NOTE: These rules currently apply to all network ports. NOTE: This is currently supported only for clusters hosted on Azure. AWS doesn't support
this scenario and we currently don't support automatic router configuration for
on-premise environments. |
| gatewy | string: Specifies the default network gateway address to be configured for cluster nodes.
This defaults to the second usable address in the premiseSubnet. For example,
for the 10.0.0.0/24 subnet, this will be default to 10.0.0.1.
NOTE: This applies only to on-premise deployments and ignored for cloud hosting. |
| ingressRules | array: Optionally specifies the ingress routing rules for external traffic received by nodes
with node.Ingress=true enabled, targeting one or more Istio ingress gateway services
which are then responsible for routing to the target Kubernetes services.
This defaults to allowing inbound HTTP/HTTPS traffic and cluster setup
also adds a TCP rule for the Kubernetes API server on port 6442. Here's how an address rule is structured: addressRules: []
externalPort: [required]
ingressHealthCheck:
intervalSeconds: 10
thresholdCount: 2
name: [required]
nodePort: [required]
protocol: tcp
targetPort: 0
tcpIdleReset: true
tcpIdleTimeoutMinutes: 4
| Property | Description | | addressRules | array: Optionally specifies whitelisted and/or blacklisted external addresses
for inbound traffic. This defaults to allowing inbound traffic from anywhere
when the property is null or empty. See Address Rules
below for more information.
NOTE: Address rules are processed in order, from first to last so you may consider
putting your blacklist rules before your whitelist rules. NOTE: This is currently supported only for clusters hosted on Azure. AWS doesn't support
this scenario and we currently don't support automatic router configuration for
on-premise environments. | | externalPort | integer: Specifies the external ingress port used to handle external (generally Internet) traffic
received by the cluster load balancer.
| | ingressHealthCheck | intervalSeconds: integer: Specifies the interval in seconds between load balancer health
checks. This defaults to 10 seconds and must be in the range of 10...300 seconds. thresholdCount: integer: Specifies the number of consecutive failed health checks before
the load balancer will consider the node endpoint to be unhealthy. This defaults to 2 and
must be in the range of 2...10 | | name | | | nodePort | integer: Specifies the port on cluster nodes where external traffic received by the load balancer
on externalPort will be forwarded. The cluster's ingress gateway (Istio) will be
configured to listen for traffic on this port and route it into the cluster.
| | protocol | string: Optionally specifies the network protocol. Supported values are: http, https,
tcp, or udp.
This defaults to tcp. | | targetPort | integer: Specifies the target ingress port internal to the cluster. The cluster's ingress gateway
(Istio) applies routing rules (virtual service) to the network traffic as it was received on
targetPort. This decouples routing rules from nNodePort which may change for different
hosting environments.
This property is optional and defaults to zero, indicating that the traffic should
be routed to just the node port but should not be routed through ingress gateway.
This is useful for handling UDP traffic which Istio doesn't currently support and
perhaps some other scenarios. | | tcpIdleReset | bool: Optionally specifies whether the cluster router or load balancer sends a TCP RESET
packet to both ends of a TCP connection that has been idle for longer than tcpIdleTimeoutMinutes.
This defaults to true.
NOTE: At this point, this property is supported only in cloud environments where we
can easily control the cluster's external loag balancer. This also has no
impact for the udp protocol. | | tcpIdleTimeoutMinutes | integer: Optionally specifies the TCP idle time out for TCP related ingress protocols like
http, https, and tcp. Inbound TCP connections that have no network
traffic going either way will be closed by supported load balancers or routers.
This defaults to 4 minutes.
NOTE: At this point, this property is supported only in cloud environments where we
can easily control the cluster's external loag balancer. This also has no impact for non-TCP rules. NOTE: Cluster setup may modify this value to ensure that it honors the range of
values supported by the target cloud cloud. |
|
| managementAddressRules | array: Optionally specifies whitelisted and/or blacklisted external addresses for
node management via SSH NAT rules as well as cluster management via the
Kubernetes API via port 6443. This defaults to allowing inbound traffic
from anywhere when the property is null or empty. See Address Rules
below for more information.
NOTE: Address rules are processed in order from first to last, so you may
consider putting your blacklist rules before your whitelist rules. NOTE: This is currently supported only for clusters hosted on Azure. AWS doesn't support
this scenario and we currently don't support automatic router configuration for
on-premise environments. |
| mutalPodTls | bool: Optionally enables Istio mutual TLS support for cross pod communication.
This defaults to false.
|
| nameServers | array: Optionally specifies the IP addresses of the DNS nameservers to be used by the cluster.
For cloud environments, this defaults the name servers provided by the cloud. For on-premise
environments, this defaults to the Google Public DNS
servers: ["8.8.8.8", "8.8.4.4" ]. |
| nodeMtu | integer: Optionally overrides the default MTU (maximum transmission unit)
configured for luster node network interfaces. The default MTU for the hosting environment
will be used when set to 0, otherwise this can be configured as a value between 512-9000.
This defaults to: 0
WARNING: This is an advanced setting. Only people who really know
what they're doing should change this. |
| premiseSubnet | string: Specifies the subnet for LAN for on-premise deployments. This is
required for on-premise and is ignored for cloud deployments.
|
| podSubnet | string: Optionally specifies the subnet used for cluster pods. This subnet will be
split so that each node will be allocated its own subnet for the pods running there.
This defaults to ()10.254.0.0/16.
|
| publicAddresses | array: Optionally specifies the public IP addresses for the cluster. This is useful
for documenting the public IP address for a router that directs traffic
into the cluster.
NOTE: This property is informational only and does not affect cluster deployments. |
| reservedIngressEndPort | integer: Optionally specifies the end of a range of ingress load balancer ports
reserved by NeonKUBE. These are reserved for temporarily exposing SSH from individual
cluster nodes to the Internet during cluster setup as well as afterwards so that a
cluster node can be accessed remotely by a cluster operator as well as for other
purposes and for potential future features such as an integrated
NOTE: The number ports between reservedIngressStartPort and reservedIngressEndPort
must include at least as many ports as there will be nodes deployed to the cluster
for the temporary SSH NAT rules plus another 100 ports reserved for other purposes.
This range defaults to 64000-64999 which will support a cluster with up to
900 nodes. This default range is unlikely to conflict with ports a cluster is likely
to need expose to the Internet like HTTP/HTTPS (80/443). You can change this range
for your cluster to resolve any conflicts when necessary. |
| reservedIngressStartPort | integer: Optionally specifies the end of a range of ingress load balancer ports
reserved by NeonKUBE. These are reserved for temporarily exposing SSH from individual
cluster nodes to the Internet during cluster setup as well as afterwards so
that a cluster node can be accessed remotely by a cluster operator as well
as for other purposes and for potential future features such as an integrated
NOTE: The number ports between reservedIngressStartPort and reservedIngressEndPort
must include at least as many ports as there will be nodes deployed to the cluster
for the temporary SSH NAT rules plus another 100 ports reserved for other purposes.
This range defaults to 64000-64999 which will support a cluster with up to
900 nodes. This default range is unlikely to conflict with ports a cluster is likely
to need expose to the Internet like HTTP/HTTPS (80/443). You can change this range
for your cluster to resolve any conflicts when necessary. |
Address rules can be used white or blacklist external traffic to or from the cluster. The network
egressAddressRules, ingressRules, and managementAddressRules properties above may be set to an array of
address rules to allow or deny traffic for a specific IP address or subnet.
Rules are applied in the order they appear in the list where the first rule that applies to the traffic's IP address
will be applied. Traffic will be allowed when no rule matches.