diff options
author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-06-26 09:46:41 +0200 |
---|---|---|
committer | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-06-26 09:46:41 +0200 |
commit | 8af0a60120689267515d7766c432a414eb55d51c (patch) | |
tree | ddbfb767bd3ab7760d269b0a49d02e162d519320 | |
parent | aa0117e33474cbfa0e7206fe181a63508364a67b (diff) | |
download | openshift-8af0a60120689267515d7766c432a414eb55d51c.tar.gz openshift-8af0a60120689267515d7766c432a414eb55d51c.tar.bz2 openshift-8af0a60120689267515d7766c432a414eb55d51c.tar.xz openshift-8af0a60120689267515d7766c432a414eb55d51c.zip |
Modify sec groups for provisioned openstack servers
Drop ingress DNS rules from the common secgrp.
Add an ingress ICMP rule, restricted by the ssh ingress cidr,
to the common secgrp. This allows to ping servers from the
control node (ansible admin node).
Add dns servers into the common secgrp as well.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
-rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 17 |
1 files changed, 4 insertions, 13 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index cba03e2ca..7fd52e52d 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -152,7 +152,7 @@ resources: cluster_id: {{ stack_name }} description: str_replace: - template: Basic ssh/dns security group for cluster_id OpenShift cluster + template: Basic ssh/icmp security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: @@ -162,13 +162,8 @@ resources: port_range_max: 22 remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress - protocol: tcp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 + protocol: icmp + remote_ip_prefix: {{ ssh_ingress_cidr }} {% if openstack_flat_secgrp|bool %} flat-secgrp: @@ -423,11 +418,6 @@ resources: cluster_id: {{ stack_name }} rules: - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 @@ -715,6 +705,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: dns-secgrp } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: |