summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-06-26 09:46:41 +0200
committerBogdan Dobrelya <bdobreli@redhat.com>2017-06-26 09:46:41 +0200
commit8af0a60120689267515d7766c432a414eb55d51c (patch)
treeddbfb767bd3ab7760d269b0a49d02e162d519320
parentaa0117e33474cbfa0e7206fe181a63508364a67b (diff)
downloadopenshift-8af0a60120689267515d7766c432a414eb55d51c.tar.gz
openshift-8af0a60120689267515d7766c432a414eb55d51c.tar.bz2
openshift-8af0a60120689267515d7766c432a414eb55d51c.tar.xz
openshift-8af0a60120689267515d7766c432a414eb55d51c.zip
Modify sec groups for provisioned openstack servers
Drop ingress DNS rules from the common secgrp. Add an ingress ICMP rule, restricted by the ssh ingress cidr, to the common secgrp. This allows to ping servers from the control node (ansible admin node). Add dns servers into the common secgrp as well. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j217
1 files changed, 4 insertions, 13 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index cba03e2ca..7fd52e52d 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -152,7 +152,7 @@ resources:
cluster_id: {{ stack_name }}
description:
str_replace:
- template: Basic ssh/dns security group for cluster_id OpenShift cluster
+ template: Basic ssh/icmp security group for cluster_id OpenShift cluster
params:
cluster_id: {{ stack_name }}
rules:
@@ -162,13 +162,8 @@ resources:
port_range_max: 22
remote_ip_prefix: {{ ssh_ingress_cidr }}
- direction: ingress
- protocol: tcp
- port_range_min: 53
- port_range_max: 53
- - direction: ingress
- protocol: udp
- port_range_min: 53
- port_range_max: 53
+ protocol: icmp
+ remote_ip_prefix: {{ ssh_ingress_cidr }}
{% if openstack_flat_secgrp|bool %}
flat-secgrp:
@@ -423,11 +418,6 @@ resources:
cluster_id: {{ stack_name }}
rules:
- direction: ingress
- protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ ssh_ingress_cidr }}
- - direction: ingress
protocol: udp
port_range_min: 53
port_range_max: 53
@@ -715,6 +705,7 @@ resources:
subnet: { get_resource: subnet }
secgrp:
- { get_resource: dns-secgrp }
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace: