diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index f4aa24d5a219ddc55a0dc52613a03030d7dd1318..90aad989c608e58494a629aa0215e35ac06b71c7 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -80,6 +80,8 @@ module "compute" {
   wait_for_floatingip                          = var.wait_for_floatingip
   use_access_ip                                = var.use_access_ip
   use_server_groups                            = var.use_server_groups
+  extra_sec_groups                             = var.extra_sec_groups
+  extra_sec_groups_name                        = var.extra_sec_groups_name
 
   network_id = module.network.router_id
 }
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 5ef4b6c6bc212f283bba6f796b3fb1ab387b2bd2..6b469ad045a1f00be444086ba0f9380931972acc 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -17,6 +17,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "k8s_master_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-master-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes Master nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
   count             = length(var.master_allowed_remote_ips)
   direction         = "ingress"
@@ -95,6 +102,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "worker_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-worker-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes worker nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "worker" {
   count             = length(var.worker_allowed_ports)
   direction         = "ingress"
@@ -124,6 +138,21 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
   policies = ["anti-affinity"]
 }
 
+locals {
+# master groups
+  master_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s_master.name,
+    openstack_networking_secgroup_v2.k8s.name,
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+# worker groups
+  worker_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.worker.name,
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+}
+
 resource "openstack_compute_instance_v2" "bastion" {
   name       = "${var.cluster_name}-bastion-${count.index + 1}"
   count      = var.number_of_bastions
@@ -189,9 +218,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -238,9 +265,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -327,9 +352,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -371,9 +394,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -414,9 +435,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -461,9 +480,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -504,9 +521,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 11bb5f5634abf55b7849cfde922f2bc31f7f7122..99f266b093fe746854a6ddc363597d5ff06b3a8e 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -127,3 +127,11 @@ variable "use_access_ip" {}
 variable "use_server_groups" {
   type = bool
 }
+
+variable "extra_sec_groups" {
+  type = bool
+}
+
+variable "extra_sec_groups_name" {
+  type = string
+}
\ No newline at end of file
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index d161e89478cc8ebe720fe2fd5ad425775469d77e..5b49b29428180205748f226b4802fb02e66d4c1d 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -246,3 +246,10 @@ variable "k8s_nodes" {
   default = {}
 }
 
+variable "extra_sec_groups" {
+  default = false
+}
+
+variable "extra_sec_groups_name" {
+  default = "custom"
+}