Always let the openshift nodes access the DNS

When `node_ingress_cidr` to limit the IP range for the DNS server, this
can prevent the actual openshift nodes from accessing it as well.

This commit makes the access from the `openstack_subnet_prefix` always
pass through and uses `node_ingress_cidr` for additional
access control.

1 files changed, 15 insertions, 0 deletions

diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index 09b62cba7..c10b1d90f 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -289,6 +289,11 @@ resources:
           port_range_min: 30000
           port_range_max: 32767
           remote_ip_prefix: {{ node_ingress_cidr }}
+        - direction: ingress
+          protocol: tcp
+          port_range_min: 30000
+          port_range_max: 32767
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
 
   infra-secgrp:
     type: OS::Neutron::SecurityGroup
@@ -338,10 +343,20 @@ resources:
           port_range_max: 53
           remote_ip_prefix: {{ node_ingress_cidr }}
         - direction: ingress
+          protocol: udp
+          port_range_min: 53
+          port_range_max: 53
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+        - direction: ingress
           protocol: tcp
           port_range_min: 53
           port_range_max: 53
           remote_ip_prefix: {{ node_ingress_cidr }}
+        - direction: ingress
+          protocol: tcp
+          port_range_min: 53
+          port_range_max: 53
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
 {% if num_masters is greaterthan 1 %}
   lb-secgrp:
     type: OS::Neutron::SecurityGroup