diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md
index 0f3875bce883e6590c16cfcedc94e92336135273..bab1cd2648bf75eac8705a3c6e66302cba3d2d59 100644
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -242,6 +242,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
 |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
 |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
 |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
+|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
 
 #### Terraform state files
 
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index f2df92a5694238ce6bd3d7ac9714cc4909c14653..8ee77f5318bd4de6c1e4e59ecbe02b5a64a6cd11 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -54,6 +54,7 @@ module "compute" {
   bastion_allowed_remote_ips                   = "${var.bastion_allowed_remote_ips}"
   supplementary_master_groups                  = "${var.supplementary_master_groups}"
   supplementary_node_groups                    = "${var.supplementary_node_groups}"
+  worker_allowed_ports                         = "${var.worker_allowed_ports}"
 
   network_id = "${module.network.router_id}"
 }
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 273d73f38e003a80a72d5a05f01399ac490d73de..72c0bea8be7e91d585ee33a887a3896452898a95 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -52,12 +52,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
 }
 
 resource "openstack_networking_secgroup_rule_v2" "worker" {
+  count = "${length(var.worker_allowed_ports)}"
   direction = "ingress"
   ethertype = "IPv4"
-  protocol = "tcp"
-  port_range_min = "30000"
-  port_range_max = "32767"
-  remote_ip_prefix = "0.0.0.0/0"
+  protocol = "${lookup(var.worker_allowed_ports[count.index], "protocol", "tcp")}"
+  port_range_min = "${lookup(var.worker_allowed_ports[count.index], "port_range_min")}"
+  port_range_max = "${lookup(var.worker_allowed_ports[count.index], "port_range_max")}"
+  remote_ip_prefix = "${lookup(var.worker_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")}"
   security_group_id = "${openstack_networking_secgroup_v2.worker.id}"
 }
 
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 713e878ab6eb8e48abf6f50b7de8291f13f5f7e3..7c004fdc435aa906bbb967e9db9decfab9340f0c 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -73,3 +73,7 @@ variable "supplementary_master_groups" {
 variable "supplementary_node_groups" {
   default = ""
 }
+
+variable "worker_allowed_ports" {
+  type = "list"
+}
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index cce00549d77e14a2fd07e7b9307e4b9a7cb7541c..c3758cf923cd54b5187a175f158f927c3ee40313 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -144,3 +144,15 @@ variable "bastion_allowed_remote_ips" {
   type = "list"
   default = ["0.0.0.0/0"]
 }
+
+variable "worker_allowed_ports" {
+  type = "list"
+  default = [
+    {
+      "protocol" = "tcp"
+      "port_range_min" = 30000
+      "port_range_max" = 32767
+      "remote_ip_prefix" = "0.0.0.0/0"
+    }
+  ]
+}