From 3f10c266aab0881ab294513d4ef93a1528d33c6b Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 21 Jun 2017 13:32:48 +0200 Subject: Fix flat sec group and infra/dns sec rules Make flat sec group to only merge node/master/etcd sec rules. Add basic dns/ssh sec group and assign it to all but dns node groups. Assign only dns sec group for dns nodes. Assign only infra (and basic) sec groups for ingra nodes. Add security notes for openstack provider. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'playbooks/provisioning') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 423d57113..df00e5507 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -72,6 +72,17 @@ stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes. +#### Security notes + +Configure required `*_ingress_cidr` variables to restrict public access +to provisioned servers from your laptop (a /32 notation should be used) +or your trusted network. The most important is the `node_ingress_cidr` +that restricts public access to the deployed DNS server and cluster +nodes' ephemeral ports range. + +Note, the command ``curl https://api.ipify.org`` helps fiding an external +IP address of your box (the ansible admin node). + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, -- cgit v1.2.3