diff options
24 files changed, 74 insertions, 60 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 423573540..7136f1c1f 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -26,21 +26,6 @@ tags: - always -- name: Setup firewall - hosts: oo_all_hosts - tags: - - always - tasks: - # This should move to intialize_facts - - name: set os_firewall_enabled - set_fact: - os_firewall_enabled: true - os_firewall_use_firewalld: false - - - name: Set proper firewall settings - include_role: - name: os_firewall - - name: Disable excluders hosts: oo_masters_to_config:oo_nodes_to_config tags: diff --git a/playbooks/common/openshift-cluster/initialize_firewall.yml b/playbooks/common/openshift-cluster/initialize_firewall.yml new file mode 100644 index 000000000..7d7a427d4 --- /dev/null +++ b/playbooks/common/openshift-cluster/initialize_firewall.yml @@ -0,0 +1,7 @@ +--- +- name: Initialize host facts + hosts: oo_all_hosts + tasks: + - name: install and configure the proper firewall settings + include_role: + name: os_firewall diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml index 6ed31a644..eab16aba0 100644 --- a/playbooks/common/openshift-cluster/std_include.yml +++ b/playbooks/common/openshift-cluster/std_include.yml @@ -14,3 +14,7 @@ - include: initialize_openshift_version.yml tags: - always + +- include: initialize_firewall.yml + tags: + - always diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml index 97b00db04..cbe5bb92b 100644 --- a/roles/cockpit/defaults/main.yml +++ b/roles/cockpit/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_cockpit_firewall_enabled: True +r_cockpit_use_firewalld: False + r_cockpit_os_firewall_deny: [] r_cockpit_os_firewall_allow: - service: cockpit-ws diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml index 0e253a9f5..e597ac84d 100644 --- a/roles/cockpit/tasks/firewall.yml +++ b/roles/cockpit/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_cockpit_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index c14137d4e..d12d7a358 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,4 +1,7 @@ --- +r_etcd_firewall_enabled: True +r_etcd_use_firewalld: False + etcd_initial_cluster_state: new etcd_initial_cluster_token: etcd-cluster-1 diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml index fcfdf5227..4d0f6290a 100644 --- a/roles/etcd/tasks/firewall.yml +++ b/roles/etcd/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_etcd_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml index 2aed521da..ffab25775 100644 --- a/roles/nuage_master/defaults/main.yml +++ b/roles/nuage_master/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_nuage_master_firewall_enabled: True +r_nuage_master_use_firewalld: False + nuage_mon_rest_server_port: '9443' r_nuage_master_os_firewall_deny: [] diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml index b4da2ac83..0057dc9ab 100644 --- a/roles/nuage_master/tasks/firewall.yml +++ b/roles/nuage_master/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_nuage_master_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml index 7a71273e7..b3d2e3cec 100644 --- a/roles/nuage_node/defaults/main.yml +++ b/roles/nuage_node/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_nuage_node_firewall_enabled: True +r_nuage_node_use_firewalld: False + nuage_mon_rest_server_port: '9443' r_nuage_node_os_firewall_deny: [] diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml index 008f3a95b..baf600d57 100644 --- a/roles/nuage_node/tasks/firewall.yml +++ b/roles/nuage_node/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_nuage_node_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index f1fd0f4b7..13cbfb14e 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -1,4 +1,10 @@ --- +r_openshift_hosted_router_firewall_enabled: True +r_openshift_hosted_router_use_firewalld: False + +r_openshift_hosted_registry_firewall_enabled: True +r_openshift_hosted_registry_use_firewalld: False + registry_volume_claim: 'registry-claim' openshift_hosted_router_edits: diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml index f48eb3b12..775b7d6d7 100644 --- a/roles/openshift_hosted/tasks/registry/firewall.yml +++ b/roles/openshift_hosted/tasks/registry/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml index fd9a9c2e7..ff90f3372 100644 --- a/roles/openshift_hosted/tasks/router/firewall.yml +++ b/roles/openshift_hosted/tasks/router/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml index 35a14b1a5..3f6409233 100644 --- a/roles/openshift_loadbalancer/defaults/main.yml +++ b/roles/openshift_loadbalancer/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_loadbalancer_firewall_enabled: True +r_openshift_loadbalancer_use_firewalld: False + haproxy_frontends: - name: main binds: diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml index def868134..7d6e8ff36 100644 --- a/roles/openshift_loadbalancer/tasks/firewall.yml +++ b/roles/openshift_loadbalancer/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 0b35c180e..a4c178908 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_master_firewall_enabled: True +r_openshift_master_use_firewalld: False + openshift_node_ips: [] r_openshift_master_clean_install: false r_openshift_master_etcd3_storage: false diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml index 80a91fa2e..e51eeb56e 100644 --- a/roles/openshift_master/tasks/firewall.yml +++ b/roles/openshift_master/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_master_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 92237757c..973b3a619 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -1,4 +1,6 @@ --- +r_openshift_node_firewall_enabled: True +r_openshift_node_use_firewalld: False r_openshift_node_os_firewall_deny: [] r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml index 492dcee1d..255aa886a 100644 --- a/roles/openshift_node/tasks/firewall.yml +++ b/roles/openshift_node/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_node_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml index 1e9265b00..4a2bc6141 100644 --- a/roles/openshift_storage_nfs/defaults/main.yml +++ b/roles/openshift_storage_nfs/defaults/main.yml @@ -1,4 +1,7 @@ --- +r_openshift_storage_nfs_firewall_enabled: True +r_openshift_storage_nfs_use_firewalld: False + r_openshift_storage_nfs_os_firewall_deny: [] r_openshift_storage_nfs_os_firewall_allow: - service: nfs diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml index 9bca80b40..c1c318ff4 100644 --- a/roles/openshift_storage_nfs/tasks/firewall.yml +++ b/roles/openshift_storage_nfs/tasks/firewall.yml @@ -1,5 +1,5 @@ --- -- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool +- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool block: - name: Add iptables allow rules os_firewall_manage_iptables: @@ -19,7 +19,7 @@ when: item.cond | default(True) with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}" -- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool +- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool block: - name: Add firewalld allow rules firewalld: diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index e7ef544f4..be0b8291a 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -1,8 +1,8 @@ OS Firewall =========== -OS Firewall manages firewalld and iptables firewall settings for a minimal use -case (Adding/Removing rules based on protocol and port number). +OS Firewall manages firewalld and iptables installation. +case. Note: firewalld is not supported on Atomic Host https://bugzilla.redhat.com/show_bug.cgi?id=1403331 @@ -18,8 +18,6 @@ Role Variables | Name | Default | | |---------------------------|---------|----------------------------------------| | os_firewall_use_firewalld | False | If false, use iptables | -| os_firewall_allow | [] | List of service,port mappings to allow | -| os_firewall_deny | [] | List of service, port mappings to deny | Dependencies ------------ @@ -29,34 +27,27 @@ None. Example Playbook ---------------- -Use iptables and open tcp ports 80 and 443: +Use iptables: ``` --- - hosts: servers - vars: - os_firewall_use_firewalld: false - os_firewall_allow: - - service: httpd - port: 80/tcp - - service: https - port: 443/tcp - roles: - - os_firewall + task: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: false ``` -Use firewalld and open tcp port 443 and close previously open tcp port 80: +Use firewalld: ``` --- - hosts: servers vars: - os_firewall_allow: - - service: https - port: 443/tcp - os_firewall_deny: - - service: httpd - port: 80/tcp - roles: - - os_firewall + tasks: + - include_role: + name: os_firewall + vars: + os_firewall_use_firewalld: true ``` License diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index 01859e5fc..f96a80f1c 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -3,5 +3,3 @@ os_firewall_enabled: True # firewalld is not supported on Atomic Host # https://bugzilla.redhat.com/show_bug.cgi?id=1403331 os_firewall_use_firewalld: "{{ False }}" -os_firewall_allow: [] -os_firewall_deny: [] |