diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md
index 15b101fe17c2a25b864cdd352f63c6e444b926eb..936537fc9aba5b0760081f83981c5761440ddd0d 100644
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -224,6 +224,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
| `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
+|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
#### Terraform state files
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index 8e5d05adfbef9708d1d0cd46e9d1b809e269d1a1..8c733e1895f5c58af7c9713addaff102856df852 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -50,6 +50,7 @@ module "compute" {
k8s_master_fips = "${module.ips.k8s_master_fips}"
k8s_node_fips = "${module.ips.k8s_node_fips}"
bastion_fips = "${module.ips.bastion_fips}"
+ bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}"
supplementary_node_groups = "${var.supplementary_node_groups}"
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 05026ed0b2f9846df0355eb1805c859a4047d1c4..273d73f38e003a80a72d5a05f01399ac490d73de 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -3,72 +3,62 @@ resource "openstack_compute_keypair_v2" "k8s" {
public_key = "${chomp(file(var.public_key_path))}"
}
-resource "openstack_compute_secgroup_v2" "k8s_master" {
+resource "openstack_networking_secgroup_v2" "k8s_master" {
name = "${var.cluster_name}-k8s-master"
description = "${var.cluster_name} - Kubernetes Master"
+}
- rule {
- ip_protocol = "tcp"
- from_port = "6443"
- to_port = "6443"
- cidr = "0.0.0.0/0"
- }
+resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = "6443"
+ port_range_max = "6443"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.k8s_master.id}"
}
-resource "openstack_compute_secgroup_v2" "bastion" {
+resource "openstack_networking_secgroup_v2" "bastion" {
name = "${var.cluster_name}-bastion"
description = "${var.cluster_name} - Bastion Server"
+}
- rule {
- ip_protocol = "tcp"
- from_port = "22"
- to_port = "22"
- cidr = "0.0.0.0/0"
- }
+resource "openstack_networking_secgroup_rule_v2" "bastion" {
+ count = "${length(var.bastion_allowed_remote_ips)}"
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = "22"
+ port_range_max = "22"
+ remote_ip_prefix = "${var.bastion_allowed_remote_ips[count.index]}"
+ security_group_id = "${openstack_networking_secgroup_v2.bastion.id}"
}
-resource "openstack_compute_secgroup_v2" "k8s" {
+resource "openstack_networking_secgroup_v2" "k8s" {
name = "${var.cluster_name}-k8s"
description = "${var.cluster_name} - Kubernetes"
+}
- rule {
- ip_protocol = "icmp"
- from_port = "-1"
- to_port = "-1"
- cidr = "0.0.0.0/0"
- }
-
- rule {
- ip_protocol = "tcp"
- from_port = "1"
- to_port = "65535"
- self = true
- }
-
- rule {
- ip_protocol = "udp"
- from_port = "1"
- to_port = "65535"
- self = true
- }
-
- rule {
- ip_protocol = "icmp"
- from_port = "-1"
- to_port = "-1"
- self = true
- }
+resource "openstack_networking_secgroup_rule_v2" "k8s" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ remote_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
+ security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
}
-resource "openstack_compute_secgroup_v2" "worker" {
+
+resource "openstack_networking_secgroup_v2" "worker" {
name = "${var.cluster_name}-k8s-worker"
description = "${var.cluster_name} - Kubernetes worker nodes"
+}
- rule {
- ip_protocol = "tcp"
- from_port = "30000"
- to_port = "32767"
- cidr = "0.0.0.0/0"
- }
+resource "openstack_networking_secgroup_rule_v2" "worker" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = "30000"
+ port_range_max = "32767"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.worker.id}"
}
resource "openstack_compute_instance_v2" "bastion" {
@@ -82,8 +72,8 @@ resource "openstack_compute_instance_v2" "bastion" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
- "${openstack_compute_secgroup_v2.bastion.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
+ "${openstack_networking_secgroup_v2.bastion.name}",
"default",
]
@@ -111,9 +101,9 @@ resource "openstack_compute_instance_v2" "k8s_master" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
- "${openstack_compute_secgroup_v2.bastion.name}",
- "${openstack_compute_secgroup_v2.k8s.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
+ "${openstack_networking_secgroup_v2.bastion.name}",
+ "${openstack_networking_secgroup_v2.k8s.name}",
"default",
]
@@ -141,9 +131,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
- "${openstack_compute_secgroup_v2.bastion.name}",
- "${openstack_compute_secgroup_v2.k8s.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
+ "${openstack_networking_secgroup_v2.bastion.name}",
+ "${openstack_networking_secgroup_v2.k8s.name}",
]
metadata = {
@@ -170,7 +160,7 @@ resource "openstack_compute_instance_v2" "etcd" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s.name}"]
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
metadata = {
ssh_user = "${var.ssh_user}"
@@ -192,8 +182,8 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
- "${openstack_compute_secgroup_v2.k8s.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
+ "${openstack_networking_secgroup_v2.k8s.name}",
"default",
]
@@ -217,8 +207,8 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
- "${openstack_compute_secgroup_v2.k8s.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
+ "${openstack_networking_secgroup_v2.k8s.name}",
]
metadata = {
@@ -241,9 +231,9 @@ resource "openstack_compute_instance_v2" "k8s_node" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
- "${openstack_compute_secgroup_v2.bastion.name}",
- "${openstack_compute_secgroup_v2.worker.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
+ "${openstack_networking_secgroup_v2.bastion.name}",
+ "${openstack_networking_secgroup_v2.worker.name}",
"default",
]
@@ -271,8 +261,8 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
- "${openstack_compute_secgroup_v2.worker.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
+ "${openstack_networking_secgroup_v2.worker.name}",
"default",
]
@@ -321,7 +311,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"default",
]
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 50a6e496cb8718cae3e0f1db0a763a3d797cfd0f..6258a4fabb01b01d6f8c09bcd3b9c029cfb0476d 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -60,6 +60,10 @@ variable "bastion_fips" {
type = "list"
}
+variable "bastion_allowed_remote_ips" {
+ type = "list"
+}
+
variable "supplementary_master_groups" {
default = ""
}
diff --git a/contrib/terraform/openstack/sample-inventory/cluster.tf b/contrib/terraform/openstack/sample-inventory/cluster.tf
index a793bfaa598b13908755c53a3b7847221be6344b..89d6ff6d854449246a14d1aa4cb9b99ae2fabaab 100644
--- a/contrib/terraform/openstack/sample-inventory/cluster.tf
+++ b/contrib/terraform/openstack/sample-inventory/cluster.tf
@@ -43,4 +43,4 @@ network_name = "<network>"
external_net = "<UUID>"
subnet_cidr = "<cidr>"
floatingip_pool = "<pool>"
-
+bastion_allowed_remote_ips = ["0.0.0.0/0"]
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index dc4ddae90560a5424e77c80505db6dda380351bd..ddaf00b536388ee609a489027b119e657bdb45aa 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -133,3 +133,9 @@ variable "supplementary_node_groups" {
description = "supplementary kubespray ansible groups for worker nodes, such as kube-ingress"
default = ""
}
+
+variable "bastion_allowed_remote_ips" {
+ description = "An array of CIDRs allowed to SSH to hosts"
+ type = "list"
+ default = ["0.0.0.0/0"]
+}