Disable usage of default security group (#4533)
This commit is contained in:
parent
d83181a2be
commit
1cf76a10db
4 changed files with 33 additions and 18 deletions
|
@ -53,6 +53,7 @@ module "compute" {
|
||||||
bastion_fips = "${module.ips.bastion_fips}"
|
bastion_fips = "${module.ips.bastion_fips}"
|
||||||
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
|
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
|
||||||
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
|
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
|
||||||
|
k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
|
||||||
supplementary_master_groups = "${var.supplementary_master_groups}"
|
supplementary_master_groups = "${var.supplementary_master_groups}"
|
||||||
supplementary_node_groups = "${var.supplementary_node_groups}"
|
supplementary_node_groups = "${var.supplementary_node_groups}"
|
||||||
worker_allowed_ports = "${var.worker_allowed_ports}"
|
worker_allowed_ports = "${var.worker_allowed_ports}"
|
||||||
|
|
|
@ -6,6 +6,7 @@ resource "openstack_compute_keypair_v2" "k8s" {
|
||||||
resource "openstack_networking_secgroup_v2" "k8s_master" {
|
resource "openstack_networking_secgroup_v2" "k8s_master" {
|
||||||
name = "${var.cluster_name}-k8s-master"
|
name = "${var.cluster_name}-k8s-master"
|
||||||
description = "${var.cluster_name} - Kubernetes Master"
|
description = "${var.cluster_name} - Kubernetes Master"
|
||||||
|
delete_default_rules = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
|
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
|
||||||
|
@ -22,6 +23,7 @@ resource "openstack_networking_secgroup_v2" "bastion" {
|
||||||
name = "${var.cluster_name}-bastion"
|
name = "${var.cluster_name}-bastion"
|
||||||
count = "${var.number_of_bastions ? 1 : 0}"
|
count = "${var.number_of_bastions ? 1 : 0}"
|
||||||
description = "${var.cluster_name} - Bastion Server"
|
description = "${var.cluster_name} - Bastion Server"
|
||||||
|
delete_default_rules = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
||||||
|
@ -38,6 +40,7 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
||||||
resource "openstack_networking_secgroup_v2" "k8s" {
|
resource "openstack_networking_secgroup_v2" "k8s" {
|
||||||
name = "${var.cluster_name}-k8s"
|
name = "${var.cluster_name}-k8s"
|
||||||
description = "${var.cluster_name} - Kubernetes"
|
description = "${var.cluster_name} - Kubernetes"
|
||||||
|
delete_default_rules = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_rule_v2" "k8s" {
|
resource "openstack_networking_secgroup_rule_v2" "k8s" {
|
||||||
|
@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
|
||||||
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "egress" {
|
||||||
|
count = "${length(var.k8s_allowed_egress_ips)}"
|
||||||
|
direction = "egress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
remote_ip_prefix = "${var.k8s_allowed_egress_ips[count.index]}"
|
||||||
|
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
||||||
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_v2" "worker" {
|
resource "openstack_networking_secgroup_v2" "worker" {
|
||||||
name = "${var.cluster_name}-k8s-worker"
|
name = "${var.cluster_name}-k8s-worker"
|
||||||
description = "${var.cluster_name} - Kubernetes worker nodes"
|
description = "${var.cluster_name} - Kubernetes worker nodes"
|
||||||
|
delete_default_rules = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_rule_v2" "worker" {
|
resource "openstack_networking_secgroup_rule_v2" "worker" {
|
||||||
|
@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"${openstack_networking_secgroup_v2.bastion.name}",
|
"${openstack_networking_secgroup_v2.bastion.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
||||||
"${openstack_networking_secgroup_v2.k8s.name}",
|
"${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
||||||
"${openstack_networking_secgroup_v2.k8s.name}",
|
"${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
||||||
"${openstack_networking_secgroup_v2.k8s.name}",
|
"${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"${openstack_networking_secgroup_v2.worker.name}",
|
"${openstack_networking_secgroup_v2.worker.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
"${openstack_networking_secgroup_v2.worker.name}",
|
"${openstack_networking_secgroup_v2.worker.name}",
|
||||||
"default",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
|
@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
|
||||||
"default",
|
|
||||||
]
|
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user_gfs}"
|
ssh_user = "${var.ssh_user_gfs}"
|
||||||
|
|
|
@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" {
|
||||||
type = "list"
|
type = "list"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "k8s_allowed_egress_ips" {
|
||||||
|
type = "list"
|
||||||
|
}
|
||||||
|
|
||||||
variable "supplementary_master_groups" {
|
variable "supplementary_master_groups" {
|
||||||
default = ""
|
default = ""
|
||||||
}
|
}
|
||||||
|
|
|
@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" {
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "k8s_allowed_egress_ips" {
|
||||||
|
description = "An array of CIDRs allowed for egress traffic"
|
||||||
|
type = "list"
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
variable "worker_allowed_ports" {
|
variable "worker_allowed_ports" {
|
||||||
type = "list"
|
type = "list"
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue