https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# harvester
a
This message was deleted.
b
I read some of your posts, and think a better solution for you would be to put a router in front of your cluster and do what you need to do there.
b
Hi Mike. Yes that would be my first option, but I’m stuck with a few servers in a DC that I have no control over
b
Then build a virtual router on your cluster to handle the wan/lan/vlans/firewall/etc
b
for sure, the thought occurred to me, but I still need to secure the harvester hosts as they expose everything to the net. To compliment what you’re saying, i need them to be segregated behind a network device(s) to do this properly
b
I have spent limited time with Calico, and it is awesome, but fiddling with those rules is probably going to go bad.
I talked to another person in a similar situation as you a while back.
b
oh yeah? Do you know what they ended up doing?
b
The way some of these BareMetal datacenters do thing is not very conducive to what you want to do. Can you please provide a quick written diagram of your connectivity?
b
no kidding. Sure. One sec.
Excuse the terrible drawmanship
Untitled 4.pdf
I was able to succesfully apply a hostendpoint and globalnetworkpolicy… but, the problem is that it applies to even internal traffic, so I’d have to poke a lot of holes in it. It’s not very elegant
b
So what do you have access toconfigure?
b
The entirety of the nodes. That’s basically it. No firewall. I was hoping to internally iptables them off, but harvester/calico doesn’t make it easy in this compromised situation.
b
You have a management network it seems? On the Wan what IP space do you have?
b
I’ve got a few public IPs, but they’re bound to the mac addresses of the public interfaces. The mgmt net is the harvester mgmt network
b
First thing I would do is build a virtual router for each node.
Mikrotik is a good choice and very flexible.
Do BGP between them, let your vms attach to any or all.
b
so, basically provision additional hardware to create a router/firewall layer in front of the cluster. I’ve pretty much got to the point where I see that as the only option.
b
Yeah but do it with virtual routers.
You management network does dhcp and nat right?
b
DHCP only
Open in Slack
PreviousNext
Powered by