From a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a Mon Sep 17 00:00:00 2001 From: Tomas Sedovic Date: Fri, 2 Jun 2017 13:28:00 +0200 Subject: Always let the openshift nodes access the DNS When `node_ingress_cidr` to limit the IP range for the DNS server, this can prevent the actual openshift nodes from accessing it as well. This commit makes the access from the `openstack_subnet_prefix` always pass through and uses `node_ingress_cidr` for additional access control. --- roles/openstack-stack/templates/heat_stack.yaml.j2 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'roles') diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index 09b62cba7..c10b1d90f 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -289,6 +289,11 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" infra-secgrp: type: OS::Neutron::SecurityGroup @@ -337,11 +342,21 @@ resources: port_range_min: 53 port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: udp + port_range_min: 53 + port_range_max: 53 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" - direction: ingress protocol: tcp port_range_min: 53 port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 53 + port_range_max: 53 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" {% if num_masters is greaterthan 1 %} lb-secgrp: type: OS::Neutron::SecurityGroup -- cgit v1.2.3