diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index c22c92e5c..b19d3bb5b 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -243,6 +243,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`. |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. | |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. | |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default | +|`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default | |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default | |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default | diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index ac10c4f26..97f82c74d 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -52,6 +52,7 @@ module "compute" { k8s_node_fips = "${module.ips.k8s_node_fips}" bastion_fips = "${module.ips.bastion_fips}" bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}" + master_allowed_remote_ips = "${var.master_allowed_remote_ips}" k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}" k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}" supplementary_master_groups = "${var.supplementary_master_groups}" diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf index 4bfb0c23c..9e35d4d7c 100644 --- a/contrib/terraform/openstack/modules/compute/main.tf +++ b/contrib/terraform/openstack/modules/compute/main.tf @@ -10,12 +10,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" { } resource "openstack_networking_secgroup_rule_v2" "k8s_master" { + count = "${length(var.master_allowed_remote_ips)}" direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = "6443" port_range_max = "6443" - remote_ip_prefix = "0.0.0.0/0" + remote_ip_prefix = "${var.master_allowed_remote_ips[count.index]}" security_group_id = "${openstack_networking_secgroup_v2.k8s_master.id}" } diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf index 73d657e6d..dfb438128 100644 --- a/contrib/terraform/openstack/modules/compute/variables.tf +++ b/contrib/terraform/openstack/modules/compute/variables.tf @@ -66,6 +66,10 @@ variable "bastion_allowed_remote_ips" { type = "list" } +variable "master_allowed_remote_ips" { + type = "list" +} + variable "k8s_allowed_remote_ips" { type = "list" } diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index 911755d9e..97c8e33ed 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -145,6 +145,12 @@ variable "bastion_allowed_remote_ips" { default = ["0.0.0.0/0"] } +variable "master_allowed_remote_ips" { + description = "An array of CIDRs allowed to access API of masters" + type = "list" + default = ["0.0.0.0/0"] +} + variable "k8s_allowed_remote_ips" { description = "An array of CIDRs allowed to SSH to hosts" type = "list"