You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
While #392 requests the ability to customize security group rules, the solution for that will require rethinking how we declaratively manage multiple aspects of networking (VPC, security groups, etc). We'd like to tackle that as part of a new v1alpha4 API version.
In the meantime, it would be nice to modify v1alpha3 to allow the user to customize which ports are open for a CNI to be functional. We currently hard-code rules for BGP and IP-in-IP (for Calico). Some of our users are interested in trying Antrea, which requires one UDP port for the overlay protocol (VXLAN or Geneve, for example), and another TCP port to enable Antrea agent-to-controller communications.
To add Antrea support, we could add these rules on top of the Calico ones, but that would open more ports than required. Rather than do this, we'd like to do the following:
Do not make any changes to the current set of defaults (i.e., continue to configure for Calico)
Do not make any changes that break current CAPA clusters
Adjust the AWSCluster spec to allow CNI port configuration
Maybe something like spec.networkSpec.cni (optional / pointer), which looks like this (names TBD):
/kind feature
Describe the solution you'd like
While #392 requests the ability to customize security group rules, the solution for that will require rethinking how we declaratively manage multiple aspects of networking (VPC, security groups, etc). We'd like to tackle that as part of a new v1alpha4 API version.
In the meantime, it would be nice to modify v1alpha3 to allow the user to customize which ports are open for a CNI to be functional. We currently hard-code rules for BGP and IP-in-IP (for Calico). Some of our users are interested in trying Antrea, which requires one UDP port for the overlay protocol (VXLAN or Geneve, for example), and another TCP port to enable Antrea agent-to-controller communications.
To add Antrea support, we could add these rules on top of the Calico ones, but that would open more ports than required. Rather than do this, we'd like to do the following:
cc @detiber @vincepri @randomvariable - did I capture this accurately?
The text was updated successfully, but these errors were encountered: