About
These instructions have been tested on BCM 10.0 (release 10.25.03), Kubernetes 1.29.
Later releases of BCM and Kubernetes are also supported.
By default, the etcd service deployed on a BCM managed Kubernetes cluster will listen on all interfaces (0.0.0.0). For security reasons, a site may wish to restrict the etcd port access to the internal network only.
Caveats
The steps provided in this article are targeted at Kubernetes clusters that deploy the kubeapi-server and etcd server on the internalnet (internal type network) interface. For clusters where the API service is deployed on the externalnet (external type network), these instructions may not be relevant.
Implementation
On the active headnode, in a cmsh session, perform the following. PLEASE NOTE, these steps will cause the /cm/local/apps/etcd/var/etc/etcd.conf configuration file to be updated and all etcd services on the cluster will restart.
# cmsh % configurationoverlay % use kube-default-etcd % roles % use etcd::host % set listenclienturls https://$ip:2379 % commit