From 9ad145998702ecb8651df73d06dc99bdd2343b57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFc=20Huard?= Date: Fri, 19 Aug 2016 14:45:16 +0200 Subject: Open OpenStack security group for the service node port range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With OpenShift 3.2, creating a service accessible from the outside of the cluster thanks to `nodePort` automatically opens the “local” `iptables` firewall to allow incoming connection on the `nodePort` of the service. In order to benefit from this improvement, the OpenStack security group shouldn’t block those incoming connections. This change opens, on the OS nodes, the port range dedicated to service node ports. --- playbooks/openstack/openshift-cluster/files/heat_stack.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'playbooks/openstack/openshift-cluster/files') diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml index 2d0098784..458cf5ac7 100644 --- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml +++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml @@ -42,6 +42,12 @@ parameters: description: Source of legitimate ssh connections default: 0.0.0.0/0 + node_port_incoming: + type: string + label: Source of node port connections + description: Authorized sources targetting node ports + default: 0.0.0.0/0 + num_etcd: type: number label: Number of etcd nodes @@ -393,6 +399,11 @@ resources: port_range_min: 4789 port_range_max: 4789 remote_mode: remote_group_id + - direction: ingress + protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + remote_ip_prefix: { get_param: node_port_incoming } infra-secgrp: type: OS::Neutron::SecurityGroup -- cgit v1.2.3