summaryrefslogtreecommitdiffstats
path: root/roles/openstack-stack
diff options
context:
space:
mode:
authorTomas Sedovic <tomas@sedovic.cz>2017-06-02 13:28:00 +0200
committerTomas Sedovic <tomas@sedovic.cz>2017-06-15 12:34:41 +0200
commita7300e6b7ace3098aa05794d4ac2f9e5a4cef64a (patch)
tree13ba3e1c20f959df6dd3daa2b41a6416bce45c99 /roles/openstack-stack
parent0858a645a4ec808d0309b8522f55cef23792fce9 (diff)
downloadopenshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.gz
openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.bz2
openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.xz
openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.zip
Always let the openshift nodes access the DNS
When `node_ingress_cidr` to limit the IP range for the DNS server, this can prevent the actual openshift nodes from accessing it as well. This commit makes the access from the `openstack_subnet_prefix` always pass through and uses `node_ingress_cidr` for additional access control.
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j215
1 files changed, 15 insertions, 0 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index 09b62cba7..c10b1d90f 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -289,6 +289,11 @@ resources:
port_range_min: 30000
port_range_max: 32767
remote_ip_prefix: {{ node_ingress_cidr }}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 30000
+ port_range_max: 32767
+ remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
infra-secgrp:
type: OS::Neutron::SecurityGroup
@@ -338,10 +343,20 @@ resources:
port_range_max: 53
remote_ip_prefix: {{ node_ingress_cidr }}
- direction: ingress
+ protocol: udp
+ port_range_min: 53
+ port_range_max: 53
+ remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+ - direction: ingress
protocol: tcp
port_range_min: 53
port_range_max: 53
remote_ip_prefix: {{ node_ingress_cidr }}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 53
+ port_range_max: 53
+ remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
{% if num_masters is greaterthan 1 %}
lb-secgrp:
type: OS::Neutron::SecurityGroup