From 1cf76a10db24231371caceb427338e51ed87f5ef Mon Sep 17 00:00:00 2001
From: Maxime Guyot <Miouge1@users.noreply.github.com>
Date: Wed, 17 Apr 2019 11:10:03 +0200
Subject: [PATCH] Disable usage of default security group (#4533)
---
contrib/terraform/openstack/kubespray.tf | 1 +
.../openstack/modules/compute/main.tf | 40 ++++++++++---------
.../openstack/modules/compute/variables.tf | 4 ++
contrib/terraform/openstack/variables.tf | 6 +++
4 files changed, 33 insertions(+), 18 deletions(-)
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index 93693e3cb..ac10c4f26 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -53,6 +53,7 @@ module "compute" {
bastion_fips = "${module.ips.bastion_fips}"
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
+ k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}"
supplementary_node_groups = "${var.supplementary_node_groups}"
worker_allowed_ports = "${var.worker_allowed_ports}"
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index fa2d76c5a..4bfb0c23c 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -4,8 +4,9 @@ resource "openstack_compute_keypair_v2" "k8s" {
}
resource "openstack_networking_secgroup_v2" "k8s_master" {
- name = "${var.cluster_name}-k8s-master"
- description = "${var.cluster_name} - Kubernetes Master"
+ name = "${var.cluster_name}-k8s-master"
+ description = "${var.cluster_name} - Kubernetes Master"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
@@ -19,9 +20,10 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
}
resource "openstack_networking_secgroup_v2" "bastion" {
- name = "${var.cluster_name}-bastion"
- count = "${var.number_of_bastions ? 1 : 0}"
- description = "${var.cluster_name} - Bastion Server"
+ name = "${var.cluster_name}-bastion"
+ count = "${var.number_of_bastions ? 1 : 0}"
+ description = "${var.cluster_name} - Bastion Server"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "bastion" {
@@ -36,8 +38,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
}
resource "openstack_networking_secgroup_v2" "k8s" {
- name = "${var.cluster_name}-k8s"
- description = "${var.cluster_name} - Kubernetes"
+ name = "${var.cluster_name}-k8s"
+ description = "${var.cluster_name} - Kubernetes"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "k8s" {
@@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
}
+resource "openstack_networking_secgroup_rule_v2" "egress" {
+ count = "${length(var.k8s_allowed_egress_ips)}"
+ direction = "egress"
+ ethertype = "IPv4"
+ remote_ip_prefix = "${var.k8s_allowed_egress_ips[count.index]}"
+ security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
+}
+
resource "openstack_networking_secgroup_v2" "worker" {
- name = "${var.cluster_name}-k8s-worker"
- description = "${var.cluster_name} - Kubernetes worker nodes"
+ name = "${var.cluster_name}-k8s-worker"
+ description = "${var.cluster_name} - Kubernetes worker nodes"
+ delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "worker" {
@@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.bastion.name}",
- "default",
]
metadata = {
@@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
- "default",
]
metadata = {
@@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}",
- "default",
]
metadata = {
@@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.worker.name}",
- "default",
]
metadata = {
@@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
name = "${var.network_name}"
}
- security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
- "default",
- ]
+ security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
metadata = {
ssh_user = "${var.ssh_user_gfs}"
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 75b5e5e6d..73d657e6d 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" {
type = "list"
}
+variable "k8s_allowed_egress_ips" {
+ type = "list"
+}
+
variable "supplementary_master_groups" {
default = ""
}
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index 8d53b9b44..911755d9e 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" {
default = []
}
+variable "k8s_allowed_egress_ips" {
+ description = "An array of CIDRs allowed for egress traffic"
+ type = "list"
+ default = ["0.0.0.0/0"]
+}
+
variable "worker_allowed_ports" {
type = "list"
--
GitLab