summaryrefslogtreecommitdiffstats
path: root/playbooks/openstack/openshift-cluster/files
diff options
context:
space:
mode:
authorLénaïc Huard <lhuard@amadeus.com>2016-08-19 14:45:16 +0200
committerLénaïc Huard <lhuard@amadeus.com>2016-08-19 14:55:13 +0200
commit9ad145998702ecb8651df73d06dc99bdd2343b57 (patch)
tree84827115ca9a008cd2340bf8eb0e2db6a903676c /playbooks/openstack/openshift-cluster/files
parenta96a9b713bb15146fa15f2535731c4ac83cc7bd5 (diff)
downloadopenshift-9ad145998702ecb8651df73d06dc99bdd2343b57.tar.gz
openshift-9ad145998702ecb8651df73d06dc99bdd2343b57.tar.bz2
openshift-9ad145998702ecb8651df73d06dc99bdd2343b57.tar.xz
openshift-9ad145998702ecb8651df73d06dc99bdd2343b57.zip
Open OpenStack security group for the service node port range
With OpenShift 3.2, creating a service accessible from the outside of the cluster thanks to `nodePort` automatically opens the “local” `iptables` firewall to allow incoming connection on the `nodePort` of the service. In order to benefit from this improvement, the OpenStack security group shouldn’t block those incoming connections. This change opens, on the OS nodes, the port range dedicated to service node ports.
Diffstat (limited to 'playbooks/openstack/openshift-cluster/files')
-rw-r--r--playbooks/openstack/openshift-cluster/files/heat_stack.yaml11
1 files changed, 11 insertions, 0 deletions
diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
index 2d0098784..458cf5ac7 100644
--- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
+++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
@@ -42,6 +42,12 @@ parameters:
description: Source of legitimate ssh connections
default: 0.0.0.0/0
+ node_port_incoming:
+ type: string
+ label: Source of node port connections
+ description: Authorized sources targetting node ports
+ default: 0.0.0.0/0
+
num_etcd:
type: number
label: Number of etcd nodes
@@ -393,6 +399,11 @@ resources:
port_range_min: 4789
port_range_max: 4789
remote_mode: remote_group_id
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 30000
+ port_range_max: 32767
+ remote_ip_prefix: { get_param: node_port_incoming }
infra-secgrp:
type: OS::Neutron::SecurityGroup