From f3a0f735886d7e558d6bd39faf228792ad33b875 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Fri, 3 Feb 2017 18:26:30 +0300
Subject: [PATCH] Prevent dynamic port allocation in nodePort range

kube_apiserver_node_port_range should be accessible only
to kube-proxy and not be taken by a dynamic port allocation.

Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920
gets fixed.
---
 roles/kubernetes/node/defaults/main.yml |  4 ++++
 roles/kubernetes/node/tasks/main.yml    | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index a74e52b77..d60b76208 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -29,3 +29,7 @@ nginx_image_repo: nginx
 nginx_image_tag: 1.11.4-alpine
 
 etcd_config_dir: /etc/ssl/etcd
+
+# A port range to reserve for services with NodePort visibility.
+# Inclusive at both ends of the range.
+kube_apiserver_node_port_range: "30000-32767"
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 3e0c095e1..2c18937c9 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -21,6 +21,16 @@
   notify: restart kubelet
   tags: kubelet
 
+- name: Ensure nodePort range is reserved
+  sysctl:
+    name: net.ipv4.ip_local_reserved_ports
+    value: "{{ kube_apiserver_node_port_range }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: kube_apiserver_node_port_range is defined
+  tags: kube-proxy
+
 - name: Write proxy manifest
   template:
     src: manifests/kube-proxy.manifest.j2
-- 
GitLab