summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuel Munilla <smunilla@redhat.com>2016-06-29 14:01:24 -0400
committerSamuel Munilla <smunilla@redhat.com>2016-08-23 14:19:01 -0400
commit24ea576489b37ecc5ff5fecef3cd8445ff73a4d9 (patch)
treef38391c3704cb8e87bbc8c617ac7b59df73c7a62
parent7435ce713bbd3018192e3b7287ccfc5bf967e290 (diff)
downloadopenshift-24ea576489b37ecc5ff5fecef3cd8445ff73a4d9.tar.gz
openshift-24ea576489b37ecc5ff5fecef3cd8445ff73a4d9.tar.bz2
openshift-24ea576489b37ecc5ff5fecef3cd8445ff73a4d9.tar.xz
openshift-24ea576489b37ecc5ff5fecef3cd8445ff73a4d9.zip
Add externalIPNetworkCIDRs to config
Allow networkConfig.externalIPNetworkCIDRs to be set along with a default to emulate the old 3.1 behavior.
-rw-r--r--inventory/byo/hosts.origin.example10
-rw-r--r--inventory/byo/hosts.ose.example9
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j21
3 files changed, 20 insertions, 0 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index 8e7883f3b..8dedba9f8 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -343,6 +343,16 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#osm_cluster_network_cidr=10.1.0.0/16
#openshift_portal_net=172.30.0.0/16
+
+# ExternalIPNetworkCIDRs controls what values are acceptable for the
+# service external IP field. If empty, no externalIP may be set. It
+# may contain a list of CIDRs which are checked for access. If a CIDR
+# is prefixed with !, IPs in that CIDR will be rejected. Rejections
+# will be applied first, then the IP checked against one of the
+# allowed CIDRs. You should ensure this range does not overlap with
+# your nodes, pods, or service CIDRs for security reasons.
+#openshift_master_external_ip_network_cidrs=['0.0.0.0/0']
+
# Configure number of bits to allocate to each host’s subnet e.g. 8
# would mean a /24 network on the host.
#osm_host_subnet_length=8
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 0d358146c..7b6b5fcc5 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -339,6 +339,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_portal_net=172.30.0.0/16
+# ExternalIPNetworkCIDRs controls what values are acceptable for the
+# service external IP field. If empty, no externalIP may be set. It
+# may contain a list of CIDRs which are checked for access. If a CIDR
+# is prefixed with !, IPs in that CIDR will be rejected. Rejections
+# will be applied first, then the IP checked against one of the
+# allowed CIDRs. You should ensure this range does not overlap with
+# your nodes, pods, or service CIDRs for security reasons.
+#openshift_master_external_ip_network_cidrs=['0.0.0.0/0']
+
# Configure number of bits to allocate to each host’s subnet e.g. 8
# would mean a /24 network on the host.
#osm_host_subnet_length=8
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 31e86f5bd..bb5175261 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -156,6 +156,7 @@ networkConfig:
{% endif %}
# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
serviceNetworkCIDR: {{ openshift.common.portal_net }}
+ externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | to_padded_yaml(1,2) }}
oauthConfig:
{% if 'oauth_always_show_provider_selection' in openshift.master %}
alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }}