From 4f9b26e8af5890b7960291497020586426e7f1fc Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 19 Jul 2017 08:51:14 -0400 Subject: First attempt at refactor of os_firewall --- roles/openshift_node/defaults/main.yml | 14 ++++++++++-- roles/openshift_node/meta/main.yml | 27 +--------------------- roles/openshift_node/tasks/firewall.yml | 40 +++++++++++++++++++++++++++++++++ roles/openshift_node/tasks/main.yml | 32 ++++++++++++++++++++++++++ 4 files changed, 85 insertions(+), 28 deletions(-) create mode 100644 roles/openshift_node/tasks/firewall.yml (limited to 'roles/openshift_node') diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 47073ee0f..52218f683 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -1,14 +1,24 @@ --- -os_firewall_allow: +r_openshift_node_os_firewall_deny: [] +r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet port: 10250/tcp + cond: true - service: http port: 80/tcp + cond: true - service: https port: 443/tcp + cond: true - service: OpenShift OVS sdn port: 4789/udp when: openshift.common.use_openshift_sdn | default(true) | bool - service: Calico BGP Port port: 179/tcp - when: openshift.common.use_calico | bool + cond: "{{ openshift.common.use_calico | bool }}" +- service: Kubernetes service NodePort TCP + port: "{{ openshift_node_port_range | default('') }}/tcp" + cond: "{{ openshift_node_port_range is defined }}" +- service: Kubernetes service NodePort UDP + port: "{{ openshift_node_port_range | default('') }}/udp" + cond: "{{ openshift_node_port_range is defined }}" diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index 4fb841add..06373de04 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -14,36 +14,11 @@ galaxy_info: dependencies: - role: openshift_node_facts - role: lib_openshift +- role: lib_os_firewall - role: openshift_common - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates - role: openshift_cloud_provider -- role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp -- role: os_firewall - os_firewall_allow: - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.common.use_openshift_sdn | default(true) | bool -- role: os_firewall - os_firewall_allow: - - service: Calico BGP Port - port: 179/tcp - when: openshift.common.use_calico | bool - -- role: os_firewall - os_firewall_allow: - - service: Kubernetes service NodePort TCP - port: "{{ openshift_node_port_range | default('') }}/tcp" - - service: Kubernetes service NodePort UDP - port: "{{ openshift_node_port_range | default('') }}/udp" - when: openshift_node_port_range is defined - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq | bool diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml new file mode 100644 index 000000000..323eaae70 --- /dev/null +++ b/roles/openshift_node/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_deny }}" + +- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond + with_items: "{{ r_openshift_node_os_firewall_deny }}" diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index ca4fef360..3353a22e3 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -6,6 +6,38 @@ - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] - not openshift_docker_use_crio | default(false) +- name: setup firewall + include: firewall.yml + static: yes + +- name: Set node facts + openshift_facts: + role: "{{ item.role }}" + local_facts: "{{ item.local_facts }}" + with_items: + # Reset node labels to an empty dictionary. + - role: node + local_facts: + labels: {} + - role: node + local_facts: + annotations: "{{ openshift_node_annotations | default(none) }}" + debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" + iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" + kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" + labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" + registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}" + schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" + sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" + storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" + set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" + proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" + local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" + dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" + env_vars: "{{ openshift_node_env_vars | default(None) }}" + # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory - name: Check for swap usage command: grep "^[^#].*swap" /etc/fstab -- cgit v1.2.3 From ba96f5eaf876f6b7568ac73794a08cbe759dceee Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Wed, 9 Aug 2017 10:45:55 -0400 Subject: Adding a default condition and removing unneeded defaults. --- roles/cockpit/defaults/main.yml | 1 - roles/cockpit/tasks/firewall.yml | 8 ++++---- roles/etcd/defaults/main.yaml | 2 -- roles/etcd/tasks/firewall.yml | 8 ++++---- roles/nuage_master/defaults/main.yml | 1 - roles/nuage_master/tasks/firewall.yml | 8 ++++---- roles/nuage_node/defaults/main.yml | 2 -- roles/nuage_node/tasks/firewall.yml | 8 ++++---- roles/openshift_hosted/tasks/registry/firewall.yml | 8 ++++---- roles/openshift_hosted/tasks/router/firewall.yml | 8 ++++---- roles/openshift_loadbalancer/defaults/main.yml | 2 -- roles/openshift_loadbalancer/tasks/firewall.yml | 8 ++++---- roles/openshift_master/defaults/main.yml | 4 ---- roles/openshift_master/tasks/firewall.yml | 8 ++++---- roles/openshift_node/defaults/main.yml | 5 +---- roles/openshift_node/tasks/firewall.yml | 8 ++++---- roles/openshift_storage_nfs/defaults/main.yml | 1 - roles/openshift_storage_nfs/tasks/firewall.yml | 8 ++++---- 18 files changed, 41 insertions(+), 57 deletions(-) (limited to 'roles/openshift_node') diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml index d8231eced..97b00db04 100644 --- a/roles/cockpit/defaults/main.yml +++ b/roles/cockpit/defaults/main.yml @@ -3,4 +3,3 @@ r_cockpit_os_firewall_deny: [] r_cockpit_os_firewall_allow: - service: cockpit-ws port: 9090/tcp - cond: true diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml index b60cf7b28..0e253a9f5 100644 --- a/roles/cockpit/tasks/firewall.yml +++ b/roles/cockpit/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_deny }}" diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 4c8d63b4c..c14137d4e 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -15,7 +15,5 @@ r_etcd_os_firewall_deny: [] r_etcd_os_firewall_allow: - service: etcd port: "{{etcd_client_port}}/tcp" - cond: true - service: etcd peering port: "{{ etcd_peer_port }}/tcp" - cond: true diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml index 6088b26ff..fcfdf5227 100644 --- a/roles/etcd/tasks/firewall.yml +++ b/roles/etcd/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_deny }}" diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml index 7b5015a02..2aed521da 100644 --- a/roles/nuage_master/defaults/main.yml +++ b/roles/nuage_master/defaults/main.yml @@ -5,4 +5,3 @@ r_nuage_master_os_firewall_deny: [] r_nuage_master_os_firewall_allow: - service: openshift-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" - cond: true diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml index b47699966..b4da2ac83 100644 --- a/roles/nuage_master/tasks/firewall.yml +++ b/roles/nuage_master/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_deny }}" diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml index c31c8a7dd..7a71273e7 100644 --- a/roles/nuage_node/defaults/main.yml +++ b/roles/nuage_node/defaults/main.yml @@ -5,7 +5,5 @@ r_nuage_node_os_firewall_deny: [] r_nuage_node_os_firewall_allow: - service: vxlan port: 4789/udp - cond: true - service: nuage-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" - cond: true diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml index cb0bffb09..008f3a95b 100644 --- a/roles/nuage_node/tasks/firewall.yml +++ b/roles/nuage_node/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_deny }}" diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml index ea9f50047..f48eb3b12 100644 --- a/roles/openshift_hosted/tasks/registry/firewall.yml +++ b/roles/openshift_hosted/tasks/registry/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml index f8643aab7..fd9a9c2e7 100644 --- a/roles/openshift_hosted/tasks/router/firewall.yml +++ b/roles/openshift_hosted/tasks/router/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}" diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml index 4a20f5b5a..35a14b1a5 100644 --- a/roles/openshift_loadbalancer/defaults/main.yml +++ b/roles/openshift_loadbalancer/defaults/main.yml @@ -17,10 +17,8 @@ r_openshift_loadbalancer_os_firewall_deny: [] r_openshift_loadbalancer_os_firewall_allow: - service: haproxy stats port: "9000/tcp" - cond: true - service: haproxy balance port: "{{ openshift_master_api_port | default(8443) }}/tcp" - cond: true - service: nuage mon port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp" cond: "{{ openshift_use_nuage | default(false) | bool }}" diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml index c8628f6f8..def868134 100644 --- a/roles/openshift_loadbalancer/tasks/firewall.yml +++ b/roles/openshift_loadbalancer/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}" diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 547801fa5..0b35c180e 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -7,16 +7,12 @@ r_openshift_master_os_firewall_deny: [] r_openshift_master_os_firewall_allow: - service: api server https port: "{{ openshift.master.api_port }}/tcp" - cond: true - service: api controllers https port: "{{ openshift.master.controllers_port }}/tcp" - cond: true - service: skydns tcp port: "{{ openshift.master.dns_port }}/tcp" - cond: true - service: skydns udp port: "{{ openshift.master.dns_port }}/udp" - cond: true - service: etcd embedded port: 4001/tcp cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml index 15073da98..80a91fa2e 100644 --- a/roles/openshift_master/tasks/firewall.yml +++ b/roles/openshift_master/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_deny }}" diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 52218f683..92237757c 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -3,16 +3,13 @@ r_openshift_node_os_firewall_deny: [] r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet port: 10250/tcp - cond: true - service: http port: 80/tcp - cond: true - service: https port: 443/tcp - cond: true - service: OpenShift OVS sdn port: 4789/udp - when: openshift.common.use_openshift_sdn | default(true) | bool + cond: openshift.common.use_openshift_sdn | default(true) | bool - service: Calico BGP Port port: 179/tcp cond: "{{ openshift.common.use_calico | bool }}" diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml index 323eaae70..492dcee1d 100644 --- a/roles/openshift_node/tasks/firewall.yml +++ b/roles/openshift_node/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml index f6c0a1108..1e9265b00 100644 --- a/roles/openshift_storage_nfs/defaults/main.yml +++ b/roles/openshift_storage_nfs/defaults/main.yml @@ -3,7 +3,6 @@ r_openshift_storage_nfs_os_firewall_deny: [] r_openshift_storage_nfs_os_firewall_allow: - service: nfs port: "2049/tcp" - cond: true openshift: hosted: diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml index 224042d1e..9bca80b40 100644 --- a/roles/openshift_storage_nfs/tasks/firewall.yml +++ b/roles/openshift_storage_nfs/tasks/firewall.yml @@ -7,7 +7,7 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}" - name: Remove iptables rules @@ -16,7 +16,7 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}" - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool @@ -27,7 +27,7 @@ permanent: true immediate: true state: enabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}" - name: Remove firewalld allow rules @@ -36,5 +36,5 @@ permanent: true immediate: true state: disabled - when: item.cond + when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}" -- cgit v1.2.3 From 7d50ffe98dfa17e3fb72627699c794843ed5295d Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Thu, 10 Aug 2017 21:13:54 -0400 Subject: Updated README to reflect refactor. Moved firewall initialize into separate file. --- playbooks/common/openshift-cluster/config.yml | 15 --------- .../openshift-cluster/initialize_firewall.yml | 7 ++++ playbooks/common/openshift-cluster/std_include.yml | 4 +++ roles/cockpit/defaults/main.yml | 3 ++ roles/cockpit/tasks/firewall.yml | 4 +-- roles/etcd/defaults/main.yaml | 3 ++ roles/etcd/tasks/firewall.yml | 4 +-- roles/nuage_master/defaults/main.yml | 3 ++ roles/nuage_master/tasks/firewall.yml | 4 +-- roles/nuage_node/defaults/main.yml | 3 ++ roles/nuage_node/tasks/firewall.yml | 4 +-- roles/openshift_hosted/defaults/main.yml | 6 ++++ roles/openshift_hosted/tasks/registry/firewall.yml | 4 +-- roles/openshift_hosted/tasks/router/firewall.yml | 4 +-- roles/openshift_loadbalancer/defaults/main.yml | 3 ++ roles/openshift_loadbalancer/tasks/firewall.yml | 4 +-- roles/openshift_master/defaults/main.yml | 3 ++ roles/openshift_master/tasks/firewall.yml | 4 +-- roles/openshift_node/defaults/main.yml | 2 ++ roles/openshift_node/tasks/firewall.yml | 4 +-- roles/openshift_storage_nfs/defaults/main.yml | 3 ++ roles/openshift_storage_nfs/tasks/firewall.yml | 4 +-- roles/os_firewall/README.md | 37 ++++++++-------------- roles/os_firewall/defaults/main.yml | 2 -- 24 files changed, 74 insertions(+), 60 deletions(-) create mode 100644 playbooks/common/openshift-cluster/initialize_firewall.yml (limited to 'roles/openshift_node') diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 423573540..7136f1c1f 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -26,21 +26,6 @@ tags: - always -- name: Setup firewall - hosts: oo_all_hosts - tags: - - always - tasks: - # This should move to intialize_facts - - name: set os_firewall_enabled - set_fact: - os_firewall_enabled: true - os_firewall_use_firewalld: false - - - name: Set proper firewall settings - include_role: - name: os_firewall - - name: Disable excluders hosts: oo_masters_to_config:oo_nodes_to_config tags: diff --git a/playbooks/common/openshift-cluster/initialize_firewall.yml b/playbooks/common/openshift-cluster/initialize_firewall.yml new file mode 100644 index 000000000..7d7a427d4 --- /dev/null +++ b/playbooks/common/openshift-cluster/initialize_firewall.yml @@ -0,0 +1,7 @@ +--- +- name: Initialize host facts + hosts: oo_all_hosts + tasks: + - name: install and configure the proper firewall settings + include_role: + name: os_firewall diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml index 6ed31a644..eab16aba0 100644 --- a/playbooks/common/openshift-cluster/std_include.yml +++ b/playbooks/common/openshift-cluster/std_include.yml @@ -14,3 +14,7 @@ - include: initialize_openshift_version.yml tags: - always + +- include: initialize_firewall.yml + tags: + - always diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml index 97b00db04..cbe5bb92b 100644 --- a/roles/cockpit/defaults/main.yml +++ b/roles/cockpit/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_cockpit_firewall_enabled: True +r_cockpit_use_firewalld: False + r_cockpit_os_firewall_deny: [] r_cockpit_os_firewall_allow: - service: cockpit-ws diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml index 0e253a9f5..e597ac84d 100644 --- a/roles/cockpit/tasks/firewall.yml +++ b/roles/cockpit/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index c14137d4e..d12d7a358 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,4 +1,7 @@ --- +r_etcd_firewall_enabled: True +r_etcd_use_firewalld: False + etcd_initial_cluster_state: new etcd_initial_cluster_token: etcd-cluster-1 diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml index fcfdf5227..4d0f6290a 100644 --- a/roles/etcd/tasks/firewall.yml +++ b/roles/etcd/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml index 2aed521da..ffab25775 100644 --- a/roles/nuage_master/defaults/main.yml +++ b/roles/nuage_master/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_nuage_master_firewall_enabled: True +r_nuage_master_use_firewalld: False + nuage_mon_rest_server_port: '9443' r_nuage_master_os_firewall_deny: [] diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml index b4da2ac83..0057dc9ab 100644 --- a/roles/nuage_master/tasks/firewall.yml +++ b/roles/nuage_master/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml index 7a71273e7..b3d2e3cec 100644 --- a/roles/nuage_node/defaults/main.yml +++ b/roles/nuage_node/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_nuage_node_firewall_enabled: True +r_nuage_node_use_firewalld: False + nuage_mon_rest_server_port: '9443' r_nuage_node_os_firewall_deny: [] diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml index 008f3a95b..baf600d57 100644 --- a/roles/nuage_node/tasks/firewall.yml +++ b/roles/nuage_node/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index f1fd0f4b7..13cbfb14e 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -1,4 +1,10 @@ --- +r_openshift_hosted_router_firewall_enabled: True +r_openshift_hosted_router_use_firewalld: False + +r_openshift_hosted_registry_firewall_enabled: True +r_openshift_hosted_registry_use_firewalld: False + registry_volume_claim: 'registry-claim' openshift_hosted_router_edits: diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml index f48eb3b12..775b7d6d7 100644 --- a/roles/openshift_hosted/tasks/registry/firewall.yml +++ b/roles/openshift_hosted/tasks/registry/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml index fd9a9c2e7..ff90f3372 100644 --- a/roles/openshift_hosted/tasks/router/firewall.yml +++ b/roles/openshift_hosted/tasks/router/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml index 35a14b1a5..3f6409233 100644 --- a/roles/openshift_loadbalancer/defaults/main.yml +++ b/roles/openshift_loadbalancer/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_loadbalancer_firewall_enabled: True +r_openshift_loadbalancer_use_firewalld: False + haproxy_frontends: - name: main binds: diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml index def868134..7d6e8ff36 100644 --- a/roles/openshift_loadbalancer/tasks/firewall.yml +++ b/roles/openshift_loadbalancer/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 0b35c180e..a4c178908 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_master_firewall_enabled: True +r_openshift_master_use_firewalld: False + openshift_node_ips: [] r_openshift_master_clean_install: false r_openshift_master_etcd3_storage: false diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml index 80a91fa2e..e51eeb56e 100644 --- a/roles/openshift_master/tasks/firewall.yml +++ b/roles/openshift_master/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 92237757c..973b3a619 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -1,4 +1,6 @@ --- +r_openshift_node_firewall_enabled: True +r_openshift_node_use_firewalld: False r_openshift_node_os_firewall_deny: [] r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml index 492dcee1d..255aa886a 100644 --- a/roles/openshift_node/tasks/firewall.yml +++ b/roles/openshift_node/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml index 1e9265b00..4a2bc6141 100644 --- a/roles/openshift_storage_nfs/defaults/main.yml +++ b/roles/openshift_storage_nfs/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_storage_nfs_firewall_enabled: True +r_openshift_storage_nfs_use_firewalld: False + r_openshift_storage_nfs_os_firewall_deny: [] r_openshift_storage_nfs_os_firewall_allow: - service: nfs diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml index 9bca80b40..c1c318ff4 100644 --- a/roles/openshift_storage_nfs/tasks/firewall.yml +++ b/roles/openshift_storage_nfs/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index e7ef544f4..be0b8291a 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -1,8 +1,8 @@ OS Firewall =========== -OS Firewall manages firewalld and iptables firewall settings for a minimal use -case (Adding/Removing rules based on protocol and port number). +OS Firewall manages firewalld and iptables installation. +case. Note: firewalld is not supported on Atomic Host https://bugzilla.redhat.com/show_bug.cgi?id=1403331 @@ -18,8 +18,6 @@ Role Variables | Name | Default | | |---------------------------|---------|----------------------------------------| | os_firewall_use_firewalld | False | If false, use iptables | -| os_firewall_allow | [] | List of service,port mappings to allow | -| os_firewall_deny | [] | List of service, port mappings to deny | Dependencies ------------ @@ -29,34 +27,27 @@ None. Example Playbook ---------------- -Use iptables and open tcp ports 80 and 443: +Use iptables: ``` --- - hosts: servers - vars: - os_firewall_use_firewalld: false - os_firewall_allow: - - service: httpd - port: 80/tcp - - service: https - port: 443/tcp - roles: - - os_firewall + task: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: false ``` -Use firewalld and open tcp port 443 and close previously open tcp port 80: +Use firewalld: ``` --- - hosts: servers vars: - os_firewall_allow: - - service: https - port: 443/tcp - os_firewall_deny: - - service: httpd - port: 80/tcp - roles: - - os_firewall + tasks: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: true ``` License diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index 01859e5fc..f96a80f1c 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -3,5 +3,3 @@ os_firewall_enabled: True # firewalld is not supported on Atomic Host # https://bugzilla.redhat.com/show_bug.cgi?id=1403331 os_firewall_use_firewalld: "{{ False }}" -os_firewall_allow: [] -os_firewall_deny: [] -- cgit v1.2.3