diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index 93693e3cba075feec812f4f88e52da7a75e48704..ac10c4f26cf7a94291c7c026fc24ca57ef48efdb 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -53,6 +53,7 @@ module "compute" {
bastion_fips = "${module.ips.bastion_fips}"
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
+ k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}"
supplementary_node_groups = "${var.supplementary_node_groups}"
worker_allowed_ports = "${var.worker_allowed_ports}"
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index fa2d76c5a5c704781ab99819b314503f3797992c..4bfb0c23c0015b83c07db9697ad8d6a960267980 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -4,8 +4,9 @@ resource "openstack_compute_keypair_v2" "k8s" {
}
resource "openstack_networking_secgroup_v2" "k8s_master" {
- name = "${var.cluster_name}-k8s-master"
- description = "${var.cluster_name} - Kubernetes Master"
+ name = "${var.cluster_name}-k8s-master"
+ description = "${var.cluster_name} - Kubernetes Master"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
@@ -19,9 +20,10 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
}
resource "openstack_networking_secgroup_v2" "bastion" {
- name = "${var.cluster_name}-bastion"
- count = "${var.number_of_bastions ? 1 : 0}"
- description = "${var.cluster_name} - Bastion Server"
+ name = "${var.cluster_name}-bastion"
+ count = "${var.number_of_bastions ? 1 : 0}"
+ description = "${var.cluster_name} - Bastion Server"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "bastion" {
@@ -36,8 +38,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
}
resource "openstack_networking_secgroup_v2" "k8s" {
- name = "${var.cluster_name}-k8s"
- description = "${var.cluster_name} - Kubernetes"
+ name = "${var.cluster_name}-k8s"
+ description = "${var.cluster_name} - Kubernetes"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "k8s" {
@@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
}
+resource "openstack_networking_secgroup_rule_v2" "egress" {
+ count = "${length(var.k8s_allowed_egress_ips)}"
+ direction = "egress"
+ ethertype = "IPv4"
+ remote_ip_prefix = "${var.k8s_allowed_egress_ips[count.index]}"
+ security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
+}
+
resource "openstack_networking_secgroup_v2" "worker" {
- name = "${var.cluster_name}-k8s-worker"
- description = "${var.cluster_name} - Kubernetes worker nodes"
+ name = "${var.cluster_name}-k8s-worker"
+ description = "${var.cluster_name} - Kubernetes worker nodes"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "worker" {
@@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.bastion.name}",
- "default",
]
metadata = {
@@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}",
- "default",
]
metadata = {
@@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}",
- "default",
]
metadata = {
@@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
- "default",
- ]
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
metadata = {
ssh_user = "${var.ssh_user_gfs}"
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 75b5e5e6d79f3276752c7de88cf6f20a75d452a0..73d657e6d833900b107c7b252bca56f5f0a70db4 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" {
type = "list"
}
+variable "k8s_allowed_egress_ips" {
+ type = "list"
+}
+
variable "supplementary_master_groups" {
default = ""
}
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index 8d53b9b4416d6beab45b9b606cd10d871d3c3fae..911755d9e53b19c6ac81bb2af8f7a5fe5e453f70 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" {
default = []
}
+variable "k8s_allowed_egress_ips" {
+ description = "An array of CIDRs allowed for egress traffic"
+ type = "list"
+ default = ["0.0.0.0/0"]
+}
+
variable "worker_allowed_ports" {
type = "list"