Browse Source

Disable usage of default security group (#4533)

pull/4551/head
Maxime Guyot 5 years ago
committed by Kubernetes Prow Robot
parent
commit
1cf76a10db
4 changed files with 33 additions and 18 deletions
  1. 1
      contrib/terraform/openstack/kubespray.tf
  2. 40
      contrib/terraform/openstack/modules/compute/main.tf
  3. 4
      contrib/terraform/openstack/modules/compute/variables.tf
  4. 6
      contrib/terraform/openstack/variables.tf

1
contrib/terraform/openstack/kubespray.tf

@ -53,6 +53,7 @@ module "compute" {
bastion_fips = "${module.ips.bastion_fips}" bastion_fips = "${module.ips.bastion_fips}"
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}" bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}" k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}" supplementary_master_groups = "${var.supplementary_master_groups}"
supplementary_node_groups = "${var.supplementary_node_groups}" supplementary_node_groups = "${var.supplementary_node_groups}"
worker_allowed_ports = "${var.worker_allowed_ports}" worker_allowed_ports = "${var.worker_allowed_ports}"

40
contrib/terraform/openstack/modules/compute/main.tf

@ -4,8 +4,9 @@ resource "openstack_compute_keypair_v2" "k8s" {
} }
resource "openstack_networking_secgroup_v2" "k8s_master" { resource "openstack_networking_secgroup_v2" "k8s_master" {
name = "${var.cluster_name}-k8s-master"
description = "${var.cluster_name} - Kubernetes Master"
name = "${var.cluster_name}-k8s-master"
description = "${var.cluster_name} - Kubernetes Master"
delete_default_rules = true
} }
resource "openstack_networking_secgroup_rule_v2" "k8s_master" { resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
@ -19,9 +20,10 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
} }
resource "openstack_networking_secgroup_v2" "bastion" { resource "openstack_networking_secgroup_v2" "bastion" {
name = "${var.cluster_name}-bastion"
count = "${var.number_of_bastions ? 1 : 0}"
description = "${var.cluster_name} - Bastion Server"
name = "${var.cluster_name}-bastion"
count = "${var.number_of_bastions ? 1 : 0}"
description = "${var.cluster_name} - Bastion Server"
delete_default_rules = true
} }
resource "openstack_networking_secgroup_rule_v2" "bastion" { resource "openstack_networking_secgroup_rule_v2" "bastion" {
@ -36,8 +38,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
} }
resource "openstack_networking_secgroup_v2" "k8s" { resource "openstack_networking_secgroup_v2" "k8s" {
name = "${var.cluster_name}-k8s"
description = "${var.cluster_name} - Kubernetes"
name = "${var.cluster_name}-k8s"
description = "${var.cluster_name} - Kubernetes"
delete_default_rules = true
} }
resource "openstack_networking_secgroup_rule_v2" "k8s" { resource "openstack_networking_secgroup_rule_v2" "k8s" {
@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}" security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
} }
resource "openstack_networking_secgroup_rule_v2" "egress" {
count = "${length(var.k8s_allowed_egress_ips)}"
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "${var.k8s_allowed_egress_ips[count.index]}"
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
}
resource "openstack_networking_secgroup_v2" "worker" { resource "openstack_networking_secgroup_v2" "worker" {
name = "${var.cluster_name}-k8s-worker"
description = "${var.cluster_name} - Kubernetes worker nodes"
name = "${var.cluster_name}-k8s-worker"
description = "${var.cluster_name} - Kubernetes worker nodes"
delete_default_rules = true
} }
resource "openstack_networking_secgroup_rule_v2" "worker" { resource "openstack_networking_secgroup_rule_v2" "worker" {
@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.bastion.name}", "${openstack_networking_secgroup_v2.bastion.name}",
"default",
] ]
metadata = { metadata = {
@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.k8s.name}",
"default",
] ]
metadata = { metadata = {
@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.k8s.name}",
"default",
] ]
metadata = { metadata = {
@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}", "${openstack_networking_secgroup_v2.k8s.name}",
"default",
] ]
metadata = { metadata = {
@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}", "${openstack_networking_secgroup_v2.worker.name}",
"default",
] ]
metadata = { metadata = {
@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}", security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}", "${openstack_networking_secgroup_v2.worker.name}",
"default",
] ]
metadata = { metadata = {
@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
name = "${var.network_name}" name = "${var.network_name}"
} }
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"default",
]
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
metadata = { metadata = {
ssh_user = "${var.ssh_user_gfs}" ssh_user = "${var.ssh_user_gfs}"

4
contrib/terraform/openstack/modules/compute/variables.tf

@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" {
type = "list" type = "list"
} }
variable "k8s_allowed_egress_ips" {
type = "list"
}
variable "supplementary_master_groups" { variable "supplementary_master_groups" {
default = "" default = ""
} }

6
contrib/terraform/openstack/variables.tf

@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" {
default = [] default = []
} }
variable "k8s_allowed_egress_ips" {
description = "An array of CIDRs allowed for egress traffic"
type = "list"
default = ["0.0.0.0/0"]
}
variable "worker_allowed_ports" { variable "worker_allowed_ports" {
type = "list" type = "list"

Loading…
Cancel
Save