From 4f9b26e8af5890b7960291497020586426e7f1fc Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 19 Jul 2017 08:51:14 -0400 Subject: First attempt at refactor of os_firewall --- roles/openshift_node/tasks/firewall.yml | 40 +++++++++++++++++++++++++++++++++ roles/openshift_node/tasks/main.yml | 32 ++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 roles/openshift_node/tasks/firewall.yml (limited to 'roles/openshift_node/tasks') diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml new file mode 100644 index 000000000..323eaae70 --- /dev/null +++ b/roles/openshift_node/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_deny }}" + +- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_deny }}" diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index ca4fef360..3353a22e3 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -6,6 +6,38 @@ - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] - not openshift_docker_use_crio | default(false) +- name: setup firewall + include: firewall.yml + static: yes + +- name: Set node facts + openshift_facts: + role: "{{ item.role }}" + local_facts: "{{ item.local_facts }}" + with_items: + # Reset node labels to an empty dictionary. + - role: node + local_facts: + labels: {} + - role: node + local_facts: + annotations: "{{ openshift_node_annotations | default(none) }}" + debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" + iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" + kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" + labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" + registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}" + schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" + sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" + storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" + set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" + proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" + local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" + dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" + env_vars: "{{ openshift_node_env_vars | default(None) }}" + # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory - name: Check for swap usage command: grep "^[^#].*swap" /etc/fstab -- cgit v1.2.3 From ba96f5eaf876f6b7568ac73794a08cbe759dceee Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 9 Aug 2017 10:45:55 -0400 Subject: Adding a default condition and removing unneeded defaults. --- roles/openshift_node/tasks/firewall.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'roles/openshift_node/tasks') diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml index 323eaae70..492dcee1d 100644 --- a/roles/openshift_node/tasks/firewall.yml +++ b/roles/openshift_node/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" -- cgit v1.2.3 From 7d50ffe98dfa17e3fb72627699c794843ed5295d Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Thu, 10 Aug 2017 21:13:54 -0400 Subject: Updated README to reflect refactor. Moved firewall initialize into separate file. --- roles/openshift_node/tasks/firewall.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/openshift_node/tasks') diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml index 492dcee1d..255aa886a 100644 --- a/roles/openshift_node/tasks/firewall.yml +++ b/roles/openshift_node/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: -- cgit v1.2.3