diff options
| author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-06-05 16:41:09 +0200 |
|---|---|---|
| committer | Tomas Sedovic <tomas@sedovic.cz> | 2017-06-15 12:35:09 +0200 |
| commit | 4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9 (patch) | |
| tree | 16b87eb066daad457104ebc5f65bf57ff5781870 /roles | |
| parent | a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a (diff) | |
| download | openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.gz openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.bz2 openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.xz openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.zip | |
Add a flat sec group for openstack provider
Add a openstack_flat_secgroup, defaults to False.
When set, merges sec rules for master, node, etcd, infra nodes into a
single group. Less secure, but might help to mitigate quota limitations.
Update docs. Use timeout 30s to mitigate the error:
Timeout (12s) waiting for privilege escalation prompt.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 138 |
1 files changed, 128 insertions, 10 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index c10b1d90f..c750865a5 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -142,6 +142,119 @@ resources: # cluster_id: {{ stack_name }} # public_key: {{ ssh_public_key }} +{% if openstack_flat_secgrp|bool %} + flat-secgrp: + type: OS::Neutron::SecurityGroup + properties: + name: + str_replace: + template: openshift-ansible-cluster_id-flat-secgrp + params: + cluster_id: {{ stack_name }} + description: + str_replace: + template: Security group for cluster_id OpenShift cluster + params: + cluster_id: {{ stack_name }} + rules: + - direction: ingress + protocol: tcp + port_range_min: 22 + port_range_max: 22 + remote_ip_prefix: {{ ssh_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 4001 + port_range_max: 4001 + - direction: ingress + protocol: tcp + port_range_min: 8443 + port_range_max: 8444 + - direction: ingress + protocol: tcp + port_range_min: 53 + port_range_max: 53 + - direction: ingress + protocol: udp + port_range_min: 53 + port_range_max: 53 + - direction: ingress + protocol: tcp + port_range_min: 8053 + port_range_max: 8053 + - direction: ingress + protocol: udp + port_range_min: 8053 + port_range_max: 8053 + - direction: ingress + protocol: tcp + port_range_min: 24224 + port_range_max: 24224 + - direction: ingress + protocol: udp + port_range_min: 24224 + port_range_max: 24224 + - direction: ingress + protocol: tcp + port_range_min: 2224 + port_range_max: 2224 + - direction: ingress + protocol: udp + port_range_min: 5404 + port_range_max: 5405 + - direction: ingress + protocol: tcp + port_range_min: 9090 + port_range_max: 9090 + - direction: ingress + protocol: tcp + port_range_min: 2379 + port_range_max: 2380 + remote_mode: remote_group_id + - direction: ingress + protocol: tcp + port_range_min: 10250 + port_range_max: 10250 + remote_mode: remote_group_id + - direction: ingress + protocol: udp + port_range_min: 10250 + port_range_max: 10250 + remote_mode: remote_group_id + - direction: ingress + protocol: tcp + port_range_min: 10255 + port_range_max: 10255 + remote_mode: remote_group_id + - direction: ingress + protocol: udp + port_range_min: 10255 + port_range_max: 10255 + remote_mode: remote_group_id + - direction: ingress + protocol: udp + port_range_min: 4789 + port_range_max: 4789 + remote_mode: remote_group_id + - direction: ingress + protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" + - direction: ingress + protocol: tcp + port_range_min: 80 + port_range_max: 80 + - direction: ingress + protocol: tcp + port_range_min: 443 + port_range_max: 443 +{% else %} master-secgrp: type: OS::Neutron::SecurityGroup properties: @@ -168,10 +281,6 @@ resources: - direction: ingress protocol: tcp port_range_min: 8443 - port_range_max: 8443 - - direction: ingress - protocol: tcp - port_range_min: 8444 port_range_max: 8444 - direction: ingress protocol: tcp @@ -204,10 +313,6 @@ resources: - direction: ingress protocol: udp port_range_min: 5404 - port_range_max: 5404 - - direction: ingress - protocol: udp - port_range_min: 5405 port_range_max: 5405 - direction: ingress protocol: tcp @@ -317,6 +422,7 @@ resources: protocol: tcp port_range_min: 443 port_range_max: 443 +{% endif %} dns-secgrp: type: OS::Neutron::SecurityGroup @@ -411,7 +517,7 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - - { get_resource: etcd-secgrp } + - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } floating_network: {{ external_network }} net_name: str_replace: @@ -491,11 +597,15 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: +{% if openstack_flat_secgrp|bool %} + - { get_resource: flat-secgrp } +{% else %} - { get_resource: master-secgrp } - { get_resource: node-secgrp } {% if num_etcd is equalto 0 %} - { get_resource: etcd-secgrp } {% endif %} +{% endif %} floating_network: {{ external_network }} net_name: str_replace: @@ -538,7 +648,7 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - - { get_resource: node-secgrp } + - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } floating_network: {{ external_network }} net_name: str_replace: @@ -581,8 +691,12 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: +{% if openstack_flat_secgrp|bool %} + - { get_resource: flat-secgrp } +{% else %} - { get_resource: node-secgrp } - { get_resource: infra-secgrp } +{% endif %} floating_network: {{ external_network }} net_name: str_replace: @@ -621,7 +735,11 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: +{% if openstack_flat_secgrp|bool %} + - { get_resource: flat-secgrp } +{% else %} - { get_resource: node-secgrp } +{% endif %} - { get_resource: dns-secgrp } floating_network: {{ external_network }} net_name: |