diff options
author | Tomas Sedovic <tomas@sedovic.cz> | 2017-06-02 13:28:00 +0200 |
---|---|---|
committer | Tomas Sedovic <tomas@sedovic.cz> | 2017-06-15 12:34:41 +0200 |
commit | a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a (patch) | |
tree | 13ba3e1c20f959df6dd3daa2b41a6416bce45c99 /roles/openstack-stack | |
parent | 0858a645a4ec808d0309b8522f55cef23792fce9 (diff) | |
download | openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.gz openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.bz2 openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.tar.xz openshift-a7300e6b7ace3098aa05794d4ac2f9e5a4cef64a.zip |
Always let the openshift nodes access the DNS
When `node_ingress_cidr` to limit the IP range for the DNS server, this
can prevent the actual openshift nodes from accessing it as well.
This commit makes the access from the `openstack_subnet_prefix` always
pass through and uses `node_ingress_cidr` for additional
access control.
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index 09b62cba7..c10b1d90f 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -289,6 +289,11 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" infra-secgrp: type: OS::Neutron::SecurityGroup @@ -338,10 +343,20 @@ resources: port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} - direction: ingress + protocol: udp + port_range_min: 53 + port_range_max: 53 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" + - direction: ingress protocol: tcp port_range_min: 53 port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} + - direction: ingress + protocol: tcp + port_range_min: 53 + port_range_max: 53 + remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" {% if num_masters is greaterthan 1 %} lb-secgrp: type: OS::Neutron::SecurityGroup |