summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-09-05 15:56:43 +0200
committerTomas Sedovic <tomas@sedovic.cz>2017-09-05 15:56:43 +0200
commit06abd17792fafc3adec3916f56c69800690b1431 (patch)
tree7cbebf95e307dace4bc81b5eb52825446b637624
parente903f5581d5b5bc0dba9cdcddb8399d7ae7578af (diff)
downloadopenshift-06abd17792fafc3adec3916f56c69800690b1431.tar.gz
openshift-06abd17792fafc3adec3916f56c69800690b1431.tar.bz2
openshift-06abd17792fafc3adec3916f56c69800690b1431.tar.xz
openshift-06abd17792fafc3adec3916f56c69800690b1431.zip
Document global DNS security options (#694)
* Document global DNS security options Related changes: * Do not create a view if externally managed. * Allow to specify the recursion settings for public/private views defined by the dns-view role. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> * Document public_dns_nameservers better Also use it as the private view forwarder Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
-rw-r--r--playbooks/provisioning/openstack/README.md14
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml4
-rw-r--r--roles/dns-views/defaults/main.yml4
-rw-r--r--roles/dns-views/tasks/main.yml7
4 files changed, 28 insertions, 1 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 57d5839c8..b898351e6 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -94,6 +94,8 @@ default hostname (usually the role name) is used.
The `public_dns_nameservers` is a list of DNS servers accessible from all
the created Nova servers. These will be serving as your DNS forwarders for
external FQDNs that do not belong to the cluster's DNS domain and its subdomains.
+If you're unsure what to put in here, you can try the google or opendns servers,
+but note that some organizations may be blocking them.
The `openshift_use_dnsmasq` controls either dnsmasq is deployed or not.
By default, dnsmasq is deployed and comes as the hosts' /etc/resolv.conf file
@@ -244,6 +246,18 @@ be the case for development environments. When turned off, the servers will
be provisioned omitting the ``yum update`` command. This brings security
implications though, and is not recommended for production deployments.
+##### DNS servers security options
+
+Aside from `node_ingress_cidr` restricting public access to in-stack DNS
+servers, there are following (bind/named specific) DNS security
+options available:
+
+ named_public_recursion: 'no'
+ named_private_recursion: 'yes'
+
+External DNS servers, which is not included in the 'dns' hosts group,
+are not managed. It is up to you to configure such ones.
+
### Configure the OpenShift parameters
Finally, you need to update the DNS entry in
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 4b077be0a..5028141d2 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -92,6 +92,10 @@ rhsm_register: False
# key_algorithm: 'hmac-md5'
# server: '192.168.1.2'
+# # Customize DNS server security options
+#named_public_recursion: 'no'
+#named_private_recursion: 'yes'
+
# NOTE(shadower): Do not change this value. The Ansible user is currently
# hardcoded to `openshift`.
diff --git a/roles/dns-views/defaults/main.yml b/roles/dns-views/defaults/main.yml
new file mode 100644
index 000000000..c9f8248af
--- /dev/null
+++ b/roles/dns-views/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+external_nsupdate_keys: {}
+named_private_recursion: 'yes'
+named_public_recursion: 'no'
diff --git a/roles/dns-views/tasks/main.yml b/roles/dns-views/tasks/main.yml
index 7165b4269..ffbad2e3f 100644
--- a/roles/dns-views/tasks/main.yml
+++ b/roles/dns-views/tasks/main.yml
@@ -8,18 +8,23 @@
set_fact:
private_named_view:
- name: "private"
+ recursion: "{{ named_private_recursion }}"
acl_entry: "{{ acl_list }}"
zone:
- dns_domain: "{{ full_dns_domain }}"
+ forwarder: "{{ public_dns_nameservers }}"
+ when: external_nsupdate_keys['private'] is undefined
- name: "Generate the public view"
set_fact:
public_named_view:
- name: "public"
+ recursion: "{{ named_public_recursion }}"
zone:
- dns_domain: "{{ full_dns_domain }}"
forwarder: "{{ public_dns_nameservers }}"
+ when: external_nsupdate_keys['public'] is undefined
- name: "Generate the final named_config_views"
set_fact:
- named_config_views: "{{ private_named_view + public_named_view }}"
+ named_config_views: "{{ private_named_view|default([]) + public_named_view|default([]) }}"