Use host-gw flannel for better performance

cluster/openstack/kubernetes-heat/fragments/provision-network-master.sh

@@ -49,8 +49,7 @@ cat <<EOF > /etc/flannel-config.json
   "Network": "${CONTAINER_SUBNET}",
   "SubnetLen": 24,
   "Backend": {
-    "Type": "udp",
-    "Port": 8285
+    "Type": "host-gw"
   }
 }
 EOF

cluster/openstack/kubernetes-heat/kubecluster.yaml

@@ -144,21 +144,23 @@ resources:
         - protocol: tcp
           port_range_min: 22
           port_range_max: 22
+        - remote_mode: remote_group_id
 
-  secgroup_kubernetes:
+  secgroup_master:
     type: OS::Neutron::SecurityGroup
     properties:
       rules:
-        - protocol: tcp # etcd for flanneld
-          port_range_min: 4379
-          port_range_max: 4380
-        - protocol: udp # flannel backend
-          port_range_min: 8285
-          port_range_max: 8285
         - protocol: tcp # api-server
           port_range_min: 443
           port_range_max: 443
 
+  secgroup_node:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+        - protocol: udp
 
   ######################################################################
   #
@@ -261,9 +263,11 @@ resources:
       network: {get_resource: fixed_network}
       security_groups:
         - {get_resource: secgroup_base}
-        - {get_resource: secgroup_kubernetes}
+        - {get_resource: secgroup_master}
       fixed_ips:
         - subnet: {get_resource: fixed_subnet}
+      allowed_address_pairs:
+        - ip_address: 10.246.0.0/16
       replacement_policy: AUTO
 
   kube_master_floating:
@@ -302,6 +306,8 @@ resources:
           wait_condition_timeout: {get_param: wait_condition_timeout}
           metadata: {"metering.stack": {get_param: "OS::stack_id"}}
           cluster_name: {get_param: "OS::stack_name"}
+          secgroup_base: {get_resource: secgroup_base}
+          secgroup_node: {get_resource: secgroup_node}
       min_size: {get_param: number_of_minions}
       desired_capacity: {get_param: number_of_minions}
       max_size: {get_param: max_number_of_minions}

cluster/openstack/kubernetes-heat/kubeminion.yaml

@@ -60,6 +60,10 @@ parameters:
     description: metadata for ceilometer query
   cluster_name:
     type: string
+  secgroup_base:
+    type: string
+  secgroup_node:
+    type: string
 
 resources:
 
@@ -73,14 +77,6 @@ resources:
       handle: {get_resource: minion_wait_handle}
       timeout: {get_param: wait_condition_timeout}
 
-  secgroup_all_open:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: icmp
-        - protocol: tcp
-        - protocol: udp
-
   ######################################################################
   #
   # software configs.  these are components that are combined into
@@ -182,9 +178,12 @@ resources:
     properties:
       network: {get_param: fixed_network}
       security_groups:
-        - get_resource: secgroup_all_open
+        - {get_param: secgroup_base}
+        - {get_param: secgroup_node}
       fixed_ips:
         - subnet: {get_param: fixed_subnet}
+      allowed_address_pairs:
+        - ip_address: 10.246.0.0/16
       replacement_policy: AUTO
 
   kube_minion_floating: