[Openstack] Add bastion_allowed_ports to allow custom security group rules on bastion node (#9336)
* make it possible to configure bastion remote ips * Update README.md
This commit is contained in:
parent
3646dc0bd2
commit
49196c2ec4
5 changed files with 23 additions and 0 deletions
|
@ -270,6 +270,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
|
||||||
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. |
|
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. |
|
||||||
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|
||||||
|`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
|
|`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
|
||||||
|
|`bastion_allowed_ports` | List of ports to open on bastion node, `[]` by default |
|
||||||
|`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
|
|`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
|
||||||
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
|
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
|
||||||
|`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
|
|`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
|
||||||
|
|
|
@ -84,6 +84,7 @@ module "compute" {
|
||||||
supplementary_node_groups = var.supplementary_node_groups
|
supplementary_node_groups = var.supplementary_node_groups
|
||||||
master_allowed_ports = var.master_allowed_ports
|
master_allowed_ports = var.master_allowed_ports
|
||||||
worker_allowed_ports = var.worker_allowed_ports
|
worker_allowed_ports = var.worker_allowed_ports
|
||||||
|
bastion_allowed_ports = var.bastion_allowed_ports
|
||||||
use_access_ip = var.use_access_ip
|
use_access_ip = var.use_access_ip
|
||||||
master_server_group_policy = var.master_server_group_policy
|
master_server_group_policy = var.master_server_group_policy
|
||||||
node_server_group_policy = var.node_server_group_policy
|
node_server_group_policy = var.node_server_group_policy
|
||||||
|
|
|
@ -82,6 +82,17 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
||||||
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports" {
|
||||||
|
count = length(var.bastion_allowed_ports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = lookup(var.bastion_allowed_ports[count.index], "protocol", "tcp")
|
||||||
|
port_range_min = lookup(var.bastion_allowed_ports[count.index], "port_range_min")
|
||||||
|
port_range_max = lookup(var.bastion_allowed_ports[count.index], "port_range_max")
|
||||||
|
remote_ip_prefix = lookup(var.bastion_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
||||||
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_v2" "k8s" {
|
resource "openstack_networking_secgroup_v2" "k8s" {
|
||||||
name = "${var.cluster_name}-k8s"
|
name = "${var.cluster_name}-k8s"
|
||||||
description = "${var.cluster_name} - Kubernetes"
|
description = "${var.cluster_name} - Kubernetes"
|
||||||
|
|
|
@ -136,6 +136,10 @@ variable "worker_allowed_ports" {
|
||||||
type = list
|
type = list
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "bastion_allowed_ports" {
|
||||||
|
type = list
|
||||||
|
}
|
||||||
|
|
||||||
variable "use_access_ip" {}
|
variable "use_access_ip" {}
|
||||||
|
|
||||||
variable "master_server_group_policy" {
|
variable "master_server_group_policy" {
|
||||||
|
|
|
@ -257,6 +257,12 @@ variable "worker_allowed_ports" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "bastion_allowed_ports" {
|
||||||
|
type = list(any)
|
||||||
|
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
variable "use_access_ip" {
|
variable "use_access_ip" {
|
||||||
default = 1
|
default = 1
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue