diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index 15dafa7f5af5e04aef647234bd4d48ccbe91dd5b..daf21900fb9a17713c1a517df1d50894d0a5e758 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -74,6 +74,7 @@ module "compute" {
   k8s_allowed_egress_ips                       = var.k8s_allowed_egress_ips
   supplementary_master_groups                  = var.supplementary_master_groups
   supplementary_node_groups                    = var.supplementary_node_groups
+  master_allowed_ports                         = var.master_allowed_ports
   worker_allowed_ports                         = var.worker_allowed_ports
   wait_for_floatingip                          = var.wait_for_floatingip
   use_access_ip                                = var.use_access_ip
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index e91316c43bc08bb7b286293776ebacc63103ee09..5ef4b6c6bc212f283bba6f796b3fb1ab387b2bd2 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -28,6 +28,17 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
   security_group_id = openstack_networking_secgroup_v2.k8s_master.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports" {
+  count             = length(var.master_allowed_ports)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = lookup(var.master_allowed_ports[count.index], "protocol", "tcp")
+  port_range_min    = lookup(var.master_allowed_ports[count.index], "port_range_min")
+  port_range_max    = lookup(var.master_allowed_ports[count.index], "port_range_max")
+  remote_ip_prefix  = lookup(var.master_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")
+  security_group_id = openstack_networking_secgroup_v2.k8s_master.id
+}
+
 resource "openstack_networking_secgroup_v2" "bastion" {
   name                 = "${var.cluster_name}-bastion"
   count                = var.number_of_bastions != "" ? 1 : 0
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 1a16a3c4a259a626d0226ba6d6762fb0fe0d61df..11bb5f5634abf55b7849cfde922f2bc31f7f7122 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -114,6 +114,10 @@ variable "supplementary_node_groups" {
   default = ""
 }
 
+variable "master_allowed_ports" {
+  type = list
+}
+
 variable "worker_allowed_ports" {
   type = list
 }
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index c6c28f6728bcd0edecfbff6d903dfc9b1e510ff6..04b7e5ab8e27b91dab7ef74fd54d78e63723041f 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -204,6 +204,12 @@ variable "k8s_allowed_egress_ips" {
   default     = ["0.0.0.0/0"]
 }
 
+variable "master_allowed_ports" {
+  type = list
+
+  default = []
+}
+
 variable "worker_allowed_ports" {
   type = list