add master_allowed_remote_ips (with terraform fmt) (#4022)
This commit is contained in:
parent
12086744e0
commit
873b5608cf
5 changed files with 14 additions and 1 deletions
|
@ -243,6 +243,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
|
|||
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|
||||
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
|
||||
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|
||||
|`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
|
||||
|`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
|
||||
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
|
||||
|
||||
|
|
|
@ -52,6 +52,7 @@ module "compute" {
|
|||
k8s_node_fips = "${module.ips.k8s_node_fips}"
|
||||
bastion_fips = "${module.ips.bastion_fips}"
|
||||
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
|
||||
master_allowed_remote_ips = "${var.master_allowed_remote_ips}"
|
||||
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
|
||||
k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
|
||||
supplementary_master_groups = "${var.supplementary_master_groups}"
|
||||
|
|
|
@ -10,12 +10,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
|
|||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
|
||||
count = "${length(var.master_allowed_remote_ips)}"
|
||||
direction = "ingress"
|
||||
ethertype = "IPv4"
|
||||
protocol = "tcp"
|
||||
port_range_min = "6443"
|
||||
port_range_max = "6443"
|
||||
remote_ip_prefix = "0.0.0.0/0"
|
||||
remote_ip_prefix = "${var.master_allowed_remote_ips[count.index]}"
|
||||
security_group_id = "${openstack_networking_secgroup_v2.k8s_master.id}"
|
||||
}
|
||||
|
||||
|
|
|
@ -66,6 +66,10 @@ variable "bastion_allowed_remote_ips" {
|
|||
type = "list"
|
||||
}
|
||||
|
||||
variable "master_allowed_remote_ips" {
|
||||
type = "list"
|
||||
}
|
||||
|
||||
variable "k8s_allowed_remote_ips" {
|
||||
type = "list"
|
||||
}
|
||||
|
|
|
@ -145,6 +145,12 @@ variable "bastion_allowed_remote_ips" {
|
|||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "master_allowed_remote_ips" {
|
||||
description = "An array of CIDRs allowed to access API of masters"
|
||||
type = "list"
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "k8s_allowed_remote_ips" {
|
||||
description = "An array of CIDRs allowed to SSH to hosts"
|
||||
type = "list"
|
||||
|
|
Loading…
Reference in a new issue