From 3f10c266aab0881ab294513d4ef93a1528d33c6b Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 21 Jun 2017 13:32:48 +0200 Subject: Fix flat sec group and infra/dns sec rules Make flat sec group to only merge node/master/etcd sec rules. Add basic dns/ssh sec group and assign it to all but dns node groups. Assign only dns sec group for dns nodes. Assign only infra (and basic) sec groups for ingra nodes. Add security notes for openstack provider. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 11 +++ roles/openstack-stack/templates/heat_stack.yaml.j2 | 92 ++++++++-------------- 2 files changed, 44 insertions(+), 59 deletions(-) diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 423d57113..df00e5507 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -72,6 +72,17 @@ stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes. +#### Security notes + +Configure required `*_ingress_cidr` variables to restrict public access +to provisioned servers from your laptop (a /32 notation should be used) +or your trusted network. The most important is the `node_ingress_cidr` +that restricts public access to the deployed DNS server and cluster +nodes' ephemeral ports range. + +Note, the command ``curl https://api.ipify.org`` helps fiding an external +IP address of your box (the ansible admin node). + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index c750865a5..cba03e2ca 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -142,18 +142,17 @@ resources: # cluster_id: {{ stack_name }} # public_key: {{ ssh_public_key }} -{% if openstack_flat_secgrp|bool %} - flat-secgrp: + common-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: - template: openshift-ansible-cluster_id-flat-secgrp + template: openshift-ansible-cluster_id-common-secgrp params: cluster_id: {{ stack_name }} description: str_replace: - template: Security group for cluster_id OpenShift cluster + template: Basic ssh/dns security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: @@ -162,14 +161,6 @@ resources: port_range_min: 22 port_range_max: 22 remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp - port_range_min: 4001 - port_range_max: 4001 - - direction: ingress - protocol: tcp - port_range_min: 8443 - port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 53 @@ -178,6 +169,30 @@ resources: protocol: udp port_range_min: 53 port_range_max: 53 + +{% if openstack_flat_secgrp|bool %} + flat-secgrp: + type: OS::Neutron::SecurityGroup + properties: + name: + str_replace: + template: openshift-ansible-cluster_id-flat-secgrp + params: + cluster_id: {{ stack_name }} + description: + str_replace: + template: Security group for cluster_id OpenShift cluster + params: + cluster_id: {{ stack_name }} + rules: + - direction: ingress + protocol: tcp + port_range_min: 4001 + port_range_max: 4001 + - direction: ingress + protocol: tcp + port_range_min: 8443 + port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 8053 @@ -246,14 +261,6 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" - - direction: ingress - protocol: tcp - port_range_min: 80 - port_range_max: 80 - - direction: ingress - protocol: tcp - port_range_min: 443 - port_range_max: 443 {% else %} master-secgrp: type: OS::Neutron::SecurityGroup @@ -269,11 +276,6 @@ resources: params: cluster_id: {{ stack_name }} rules: - - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 4001 @@ -282,14 +284,6 @@ resources: protocol: tcp port_range_min: 8443 port_range_max: 8444 - - direction: ingress - protocol: tcp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 - direction: ingress protocol: tcp port_range_min: 8053 @@ -333,11 +327,6 @@ resources: params: cluster_id: {{ stack_name }} rules: - - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 2379 @@ -364,11 +353,6 @@ resources: params: cluster_id: {{ stack_name }} rules: - - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 10250 @@ -399,6 +383,7 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" +{% endif %} infra-secgrp: type: OS::Neutron::SecurityGroup @@ -422,7 +407,6 @@ resources: protocol: tcp port_range_min: 443 port_range_max: 443 -{% endif %} dns-secgrp: type: OS::Neutron::SecurityGroup @@ -470,11 +454,6 @@ resources: name: openshift-ansible-{{ stack_name }}-lb-secgrp description: Security group for {{ stack_name }} cluster Load Balancer rules: - - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} @@ -518,6 +497,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -558,6 +538,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: lb-secgrp } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -606,6 +587,7 @@ resources: - { get_resource: etcd-secgrp } {% endif %} {% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -649,6 +631,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -691,12 +674,8 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } - { get_resource: infra-secgrp } -{% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -735,11 +714,6 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } -{% endif %} - { get_resource: dns-secgrp } floating_network: {{ external_network }} net_name: -- cgit v1.2.3