Our biggest cluster has approx. 300 nodes, 7000 pods. /MR
On Mon, Aug 28, 2017 at 3:24 PM <m...@maglana.com> wrote: > How large is your cluster currently? > > > One thing that I did not realise initially is that it is absolutely > vital to be diligent about securing the etcd peer and client communication. > In a single-node setup you can get away with binding to localhost, but if > you put etcd on the network and do not require authentication anyone who > can reach it can subvert any and all Kubernetes authorization. You probably > also don't want to use the same CA as for Kubernetes here. Only the > kube-apiserver needs etcd client access. For the same reason, you should > not ever use this etcd cluster for anything else. Run a new cluster inside > of Kubernetes instead. > > +1! We're using an internal PKI setup for all our intra-cluster > communication. > > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
