Hetzner Cloud Resources
Several resources are created during provisioning of INFINITY Business Cloud on Hetzner Cloud infrastructure. They are created within the HCloud project to which the API token provided by the user during cluster creation belongs. The created resources are in order:
All created resources are labelled with the following common labels:
provisioner=clousterinstance=$CLUSTER_NAME
$CLUSTER_NAME represents the name of the cluster chosen by the user at creation time. The appropriate sections
in this document list any additional labels for specific resource types if applicable.
If any resources with the given name already exist during creation the provisioning process will abort and try to remove any resources that have been created so far.
SSH Key
A public / private SSH keypair is created using the Ed25519 algorithm.
The public key is added to the HCloud project with the name $CLUSTER_NAME and used when provisioning servers.
The private key is stored by INFINITY Business Cloud and used during deployment of Kubernetes.
To facilitate future Kubernetes upgrades the private SSH key is not removed once initial deployment is finished.
Placement Group
A placement group of type
Spread
is created with the name $CLUSTER_NAME.
This placement group ensures that all servers are started on different physical machines and therefore improves cluster resilience. A single failing physical machine in the Hetzner data center should cause failure of at most one single Kubernetes node.
Placement groups can only contain up to 10 separate servers. This means the current upper limit for INFINITY Business Cloud Platforms on Hetzner Cloud is 10 total nodes (master + worker).
Firewalls
Two firewalls are created. One firewall is used for all master servers and one firewall is used for all worker servers.
The common firewall rules are:
| Direction | Protocol | Source IPs | Port | Description |
|---|---|---|---|---|
| IN | TCP | 0.0.0.0/0, ::/0 | 22 | SSH |
| IN | ICMP | 0.0.0.0/0, ::/0 | - | Ping |
Master Firewall
A firewall is created with the name ${CLUSTER_NAME}-master. It contains a label selector for the the following labels:
provisioner=clousterinstance=$CLUSTER_NAMEtype=master
In addition to the common firewall rules it contains the following rules:
| Direction | Protocol | Source IPs | Port | Description |
|---|---|---|---|---|
| IN | TCP | 0.0.0.0/0, ::/0 | 6443 | Kubernetes API |
Worker Firewall
A firewall is created with the name ${CLUSTER_NAME}-node. It contains a label selector for the the following labels:
provisioner=clousterinstance=$CLUSTER_NAMEtype=node
In addition to the common firewall rules it contains the following rules:
| Direction | Protocol | Source IPs | Port | Description |
|---|---|---|---|---|
| IN | TCP | 0.0.0.0/0, ::/0 | 443 | HTTPS |
| IN | TCP | 0.0.0.0/0, ::/0 | 80 | HTTP |
| IN | TCP | 0.0.0.0/0, ::/0 | 30000-32767 | Kubernetes NodePort Service Range (TCP) |
| IN | UDP | 0.0.0.0/0, ::/0 | 30000-32767 | Kubernetes NodePort Service Range (UDP) |
Network
A network is created with the name $CLUSTER_NAME. The network IP range is
10.0.0.0/16. The network zone is equal to the zone of the location of the
data center chosen by the user during cluster creation.
The network contains one subnet with the IP range 10.0.0.0/24.
If multiple clusters are deployed to the same HCloud project each cluster will have their own network and subnet with the IP address ranges described above. This means that there will very likely be IP address collisions for the nodes in the different clusters.
Servers
For each master and worker nodes specified by the user during cluster creation a server is created.
The servers are created with the names ${CLUSTER_NAME}-${NODE_TYPE}-${COUNTER} where $COUNTER describes
a monotonically increasing, non zero-padded counter starting at 0 and increasing by 1 for each additional node.
The servers are labelled with the following additional labels:
type=$TYPEwhere$TYPE=="master"for master nodes and$TYPE=="node"for worker nodes
The servers are added to the created placement group and the created SSH key will be used for connecting to the servers during Kubernetes deployment.
The servers are also added to the created network and the internal IP addresses are used for Kubernetes control plane communication between the nodes.